Category Started On Completed On Duration Cuckoo Version
FILE 2013-10-10 22:11:00 2013-10-10 22:15:56 296 seconds 0.6

File Details

File name searchindexer.exe
File size 424871 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 0D9BDF36
MD5 2d583a9ffaaf7e259f201adebc01d30e
SHA1 d5c7bc3b9f35b974fd1628804906aaea7b6ac7b6
SHA256 0aacb55e17acdfb94c362965fb86eac3ac71ebe7f606a3b809a719a6e30450ac
SHA512 f1f1bd8adee1b2e1391d2dc1b9546ef52397d9b68205522926da1f918ab461abb61aa332013dc93430b1fde27d9fbc3f636150fa2fb08c1153dfe14c1d169f1d
Ssdeep 12288:JK2mhAMJ/cPlDpSkI2M4DnbuarVm6IzzxvVXs6w:o2O/GlDLM4DCWV4lpRw
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal 17/48 (collapse)

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious
Installs itself for autorun at Windows startup

Screenshots

Static Analysis

Sections

Imports

Dropped Files

SearchIndex.exe

searchindexer.exe

SearchIndex.exe.lnk

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

Files
  • PIPE\lsarpc
  • C:\DOCUME~1\Gi0\LOCALS~1\Temp\searchindexer.exe
  • C:\WINDOWS\system32\msctfime.ime
  • C:\WINDOWS\win.ini
  • C:\WINDOWS\Registration\R00000000000b.clb
  • C:\DOCUME~1\Gi0\LOCALS~1\Temp\RarSFX0
  • __tmp_rar_sfx_access_check_648562
  • SearchIndex.exe
  • FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  • MountPointManager
  • IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  • STORAGE#Volume#1&30a96598&0&SignatureA903A903Offset7000Length4FF7B1000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
  • C:\Documents and Settings
  • C:\Documents and Settings\Gi0
  • C:\Documents and Settings\Gi0\Start Menu
  • C:\Documents and Settings\Gi0\Start Menu\desktop.ini
  • C:\Documents and Settings\Gi0\Start Menu\Programs
  • C:\Documents and Settings\Gi0\Start Menu\Programs\desktop.ini
  • C:\Documents and Settings\Gi0\Start Menu\Programs\Startup
  • C:\Documents and Settings\Gi0\Start Menu\Programs\Startup\desktop.ini
  • C:\DOCUME~1
  • C:\Documents and Settings\Gi0\LOCALS~1
  • C:\Documents and Settings\Gi0\Local Settings\Temp
  • C:\Documents and Settings\Gi0\Local Settings\Temp\RarSFX0
  • C:\Documents and Settings\Gi0\Local Settings\Temp\RarSFX0\SearchIndex.exe
  • C:\Documents and Settings\Gi0\My Documents
  • C:\Documents and Settings\Gi0\My Documents\desktop.ini
  • C:\Documents and Settings\All Users
  • C:\Documents and Settings\All Users\Documents
  • C:\Documents and Settings\All Users\Documents\desktop.ini
  • C:\Documents and Settings\All Users\Desktop
  • C:\
  • PIPE\srvsvc
  • C:\Documents and Settings\Gi0\Local Settings\Temp\RarSFX0\
  • C:\Documents and Settings\Gi0\Start Menu\Programs\Startup\SearchIndex.exe.lnk
  • C:\Documents and Settings\All Users\Start Menu
  • C:\Documents and Settings\All Users\Start Menu\desktop.ini
  • C:\Documents and Settings\All Users\Application Data
  • C:\Documents and Settings\All Users\Application Data\desktop.ini
  • C:\Documents and Settings\Gi0\Application Data
  • C:\Documents and Settings\Gi0\Application Data\desktop.ini
  • C:\WINDOWS
  • C:\WINDOWS\system32
  • C:\Program Files
  • C:\DOCUME~1\Gi0\LOCALS~1\Temp\RarSFX0\SearchIndex.exe
  • C:\WINDOWS\system32\SHELL32.dll
  • C:\WINDOWS\system32\stdole2.tlb
Mutexes
  • CTF.TimListCache.FMPDefaultS-1-5-21-1454471165-1417001333-1801674531-1004MUTEX.DefaultS-1-5-21-1454471165-1417001333-1801674531-1004
  • ShimCacheMutex
Registry Keys
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Classes
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID
  • CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
  • CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TreatAs
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocServer32
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocServerX86
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\LocalServer32
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocHandler32
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocHandlerX86
  • \CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
  • HKEY_CLASSES_ROOT\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TreatAs
  • CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
  • CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TreatAs
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServer32
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServerX86
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\LocalServer32
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocHandler32
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocHandlerX86
  • \CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
  • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TreatAs
  • CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
  • CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TreatAs
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServer32
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServerX86
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\LocalServer32
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocHandler32
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocHandlerX86
  • \CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
  • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TreatAs
  • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
  • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_CURRENT_USER\Software\WinRAR SFX
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6c9a872a-16ec-11e3-bb67-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6c9a872b-16ec-11e3-bb67-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{6c9a872d-16ec-11e3-bb67-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c9a872d-16ec-11e3-bb67-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c9a872b-16ec-11e3-bb67-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c9a872a-16ec-11e3-bb67-806d6172696f}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
  • HKEY_CLASSES_ROOT\Directory
  • HKEY_CLASSES_ROOT\Directory\CurVer
  • HKEY_CLASSES_ROOT\Directory\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
  • HKEY_CLASSES_ROOT\Directory\\Clsid
  • HKEY_CLASSES_ROOT\Folder
  • HKEY_CLASSES_ROOT\Folder\Clsid
  • CLSID\{00021401-0000-0000-C000-000000000046}
  • CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs
  • \CLSID\{00021401-0000-0000-C000-000000000046}
  • \CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32
  • \CLSID\{00021401-0000-0000-C000-000000000046}\InprocServerX86
  • \CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer32
  • \CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandler32
  • \CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandlerX86
  • \CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
  • HKEY_CLASSES_ROOT\.exe
  • HKEY_CLASSES_ROOT\exefile
  • HKEY_CLASSES_ROOT\exefile\CurVer
  • HKEY_CLASSES_ROOT\exefile\
  • HKEY_CLASSES_ROOT\exefile\\ShellEx\IconHandler
  • HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
  • HKEY_CLASSES_ROOT\SystemFileAssociations\application
  • HKEY_CLASSES_ROOT\exefile\\Clsid
  • HKEY_CLASSES_ROOT\*
  • HKEY_CLASSES_ROOT\*\Clsid
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\DefaultSecurity
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_CURRENT_USER\Control Panel\Mouse
  • HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
  • HKEY_CLASSES_ROOT\InternetExplorer.Application
  • HKEY_CLASSES_ROOT\InternetExplorer.Application\CLSID
  • CLSID\{0002DF01-0000-0000-C000-000000000046}
  • CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
  • \CLSID\{0002DF01-0000-0000-C000-000000000046}
  • \CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
  • \CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServerX86
  • \CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
  • \CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
  • \CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerX86
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
  • HKEY_CLASSES_ROOT\AppID\SearchIndex.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_CLASSES_ROOT\Interface\{00020400-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32
  • CLSID\{00020420-0000-0000-C000-000000000046}
  • CLSID\{00020420-0000-0000-C000-000000000046}\TreatAs
  • \CLSID\{00020420-0000-0000-C000-000000000046}
  • \CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
  • \CLSID\{00020420-0000-0000-C000-000000000046}\InprocServerX86
  • \CLSID\{00020420-0000-0000-C000-000000000046}\LocalServer32
  • \CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler32
  • \CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandlerX86
  • \CLSID\{00020420-0000-0000-C000-000000000046}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00020420-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\CLSID\{00020420-0000-0000-C000-000000000046}\TreatAs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
  • HKEY_CLASSES_ROOT\Interface\{00020401-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\Interface\{00020401-0000-0000-C000-000000000046}\ProxyStubClsid32
  • CLSID\{00020422-0000-0000-C000-000000000046}
  • CLSID\{00020422-0000-0000-C000-000000000046}\TreatAs
  • \CLSID\{00020422-0000-0000-C000-000000000046}
  • \CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32
  • \CLSID\{00020422-0000-0000-C000-000000000046}\InprocServerX86
  • \CLSID\{00020422-0000-0000-C000-000000000046}\LocalServer32
  • \CLSID\{00020422-0000-0000-C000-000000000046}\InprocHandler32
  • \CLSID\{00020422-0000-0000-C000-000000000046}\InprocHandlerX86
  • \CLSID\{00020422-0000-0000-C000-000000000046}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00020422-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\CLSID\{00020422-0000-0000-C000-000000000046}\TreatAs
  • HKEY_CLASSES_ROOT\Shell.Application
  • HKEY_CLASSES_ROOT\Shell.Application\CLSID
  • CLSID\{13709620-C279-11CE-A49E-444553540000}
  • CLSID\{13709620-C279-11CE-A49E-444553540000}\TreatAs
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}\InprocServer32
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}\InprocServerX86
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}\LocalServer32
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}\InprocHandler32
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}\InprocHandlerX86
  • \CLSID\{13709620-C279-11CE-A49E-444553540000}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540000}
  • HKEY_CLASSES_ROOT\CLSID\{13709620-C279-11CE-A49E-444553540000}\TreatAs
  • HKEY_CLASSES_ROOT\TypeLib
  • HKEY_CLASSES_ROOT\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}
  • HKEY_CLASSES_ROOT\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\1.0
  • HKEY_CLASSES_ROOT\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\1.0\0
  • HKEY_CLASSES_ROOT\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\1.0\0\win32
  • HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
  • HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
  • HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
  • CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
  • CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\TreatAs
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServerX86
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\LocalServer32
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocHandler32
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocHandlerX86
  • \CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\LocalServer
  • HKEY_CLASSES_ROOT\Interface\{00020404-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\Interface\{00020404-0000-0000-C000-000000000046}\ProxyStubClsid32
  • CLSID\{00020421-0000-0000-C000-000000000046}
  • CLSID\{00020421-0000-0000-C000-000000000046}\TreatAs
  • \CLSID\{00020421-0000-0000-C000-000000000046}
  • \CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32
  • \CLSID\{00020421-0000-0000-C000-000000000046}\InprocServerX86
  • \CLSID\{00020421-0000-0000-C000-000000000046}\LocalServer32
  • \CLSID\{00020421-0000-0000-C000-000000000046}\InprocHandler32
  • \CLSID\{00020421-0000-0000-C000-000000000046}\InprocHandlerX86
  • \CLSID\{00020421-0000-0000-C000-000000000046}\LocalServer
  • HKEY_CLASSES_ROOT\CLSID\{00020421-0000-0000-C000-000000000046}
  • HKEY_CLASSES_ROOT\CLSID\{00020421-0000-0000-C000-000000000046}\TreatAs

Processes

registry filesystem process services network synchronization

searchindexer.exe PID: 2340, Parent PID: 1956