| File name: | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a9ff25d4-bc39-4bf6-9abf-7c73fa89d601.tmp |
| Full analysis: | https://app.any.run/tasks/24de7f2c-b2e8-49e9-818d-13b9f2548dca |
| Verdict: | Malicious activity |
| Analysis date: | November 06, 2023, 19:17:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | very short file (no magic) |
| MD5: | 5058F1AF8388633F609CADB75A75DC9D |
| SHA1: | 3A52CE780950D4D969792A2559CD519D7EE8C727 |
| SHA256: | CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8 |
| SSDEEP: | 3:L:L |
MALICIOUS
Steals credentials from Web Browsers
- cmd.exe (PID: 3412)
Actions looks like stealing of personal data
- cmd.exe (PID: 3412)
SUSPICIOUS
Reads the Internet Settings
- SearchProtocolHost.exe (PID: 2392)
INFO
Manual execution by a user
- explorer.exe (PID: 3624)
- cmd.exe (PID: 3412)
- wmpnscfg.exe (PID: 4068)
Checks supported languages
- wmpnscfg.exe (PID: 4068)
Reads the computer name
- wmpnscfg.exe (PID: 4068)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 4068)
Executes as Windows Service
- SearchIndexer.exe (PID: 2164)
- SearchIndexer.exe (PID: 2028)
Creates files in the program directory
- SearchIndexer.exe (PID: 2164)
- SearchIndexer.exe (PID: 2028)
Creates files or folders in the user directory
- SearchProtocolHost.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
59
Monitored processes
9
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2028 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\System32\SearchIndexer.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2164 | C:\Windows\system32\SearchIndexer.exe /Embedding | C:\Windows\System32\SearchIndexer.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Indexer Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2300 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
| 2324 | "C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532 | C:\Windows\System32\SearchFilterHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
| 2392 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
| 3412 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3428 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\Desktop\a9ff25d4-bc39-4bf6-9abf-7c73fa89d601.tmp" | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3624 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4068 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 272
Read events
4 708
Write events
355
Delete events
209
Modification events
| (PID) Process: | (4068) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{CE7E2C0F-8757-4559-A6C9-13F243463236}\{5515D3C1-0BE8-40C5-AC94-37ECA7AF1489} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4068) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{CE7E2C0F-8757-4559-A6C9-13F243463236} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4068) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{5CCD9085-1CBD-4733-8EEE-CB1677D7CC97} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState |
| Operation: | delete value | Name: | 000003f5 |
Value: 010000008C4BC65C200C00000100000000000000 | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState |
| Operation: | delete value | Name: | 000003eb |
Value: 01000000C6A5C65C200C00000100000000000000 | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState |
| Operation: | delete value | Name: | 00000bdc |
Value: 0100000066A8C65C200C00000100000000000000 | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager |
| Operation: | write | Name: | UseSystemTemp |
Value: 0 | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex |
| Operation: | write | Name: | SystemLcid |
Value: 1033 | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0 |
| Operation: | write | Name: | CrawlControl |
Value: 0 | |||
| (PID) Process: | (2164) SearchIndexer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1 |
| Operation: | write | Name: | CrawlControl |
Value: 0 | |||
Executable files
0
Suspicious files
25
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2028 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002 | binary | |
MD5:D55C0CFDACD324A50B20D82C23AE957C | SHA256:70C336472B02A29928327DBBF62E8DE9886F2A163D206B2C687D9C76A407F4CA | |||
| 2028 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001 | binary | |
MD5:D55C0CFDACD324A50B20D82C23AE957C | SHA256:70C336472B02A29928327DBBF62E8DE9886F2A163D206B2C687D9C76A407F4CA | |||
| 2028 | SearchIndexer.exe | C:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.002 | binary | |
MD5:FCD6BCB56C1689FCEF28B57C22475BAD | SHA256:DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31 | |||
| 2028 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrs | binary | |
MD5:87E50E8586DBA6B53A60855024388427 | SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0 | |||
| 2028 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb | binary | |
MD5:0339AE285F967E32CFE942D9C31E2131 | SHA256:B861AD70A29AF912D11661E5632A45D2B23DE7F98578ECE2992F7D49A4C78481 | |||
| 2028 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk | binary | |
MD5:97181D7BDA7D8A5F05BF05A39202D885 | SHA256:BE4BFB6B55A8D96BA98DFDE339EC8B47237A60FFB4117494A682201BC59ED6D1 | |||
| 2028 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs | binary | |
MD5:87E50E8586DBA6B53A60855024388427 | SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0 | |||
| 2164 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log | binary | |
MD5:1682B22ABA1029B2336124D53A46A054 | SHA256:9FC4A220C054B73794B622910E5E7520EFC4E871F2D7608979B564D6321033F5 | |||
| 2164 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrs | binary | |
MD5:87E50E8586DBA6B53A60855024388427 | SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0 | |||
| 2028 | SearchIndexer.exe | C:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAB0001.000 | binary | |
MD5:7CA2DA6F1E7BCA562D7D9376700A912F | SHA256:04FD7654331261FF9EC331C31B238BA7770F082ABFB817D7881813EC02084A4E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |