File name:

bacha.bat

Full analysis: https://app.any.run/tasks/fe8a1c0c-dd4e-4b21-82e1-0f798835c943
Verdict: Malicious activity
Analysis date: January 06, 2024, 22:56:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

2FD0487EDC44350921BB32287B4446A8

SHA1:

25C0B6DE0C52BC5D155F1FE8F1927257FAC40A4F

SHA256:

8C7181E57EEEBC4CF6F15EBEBCE4A9808CA8F023028028ED2A8DABE19096DA0D

SSDEEP:

48:ZPIZEZJLWjZ1RlMB2U5CtY5f55lcACzfoY2rCQi5Y6E51cX:ZPF3qZnly2Y953Oo/OQiijg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 2636)

  • SUSPICIOUS

    • Reads the Internet Settings

      • SearchProtocolHost.exe (PID: 1192)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2168)
      • notepad.exe (PID: 1816)
      • explorer.exe (PID: 324)
      • cmd.exe (PID: 2636)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 2828)
      • SearchIndexer.exe (PID: 2804)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 2804)
      • SearchIndexer.exe (PID: 2828)

    • Creates files or folders in the user directory

      • SearchProtocolHost.exe (PID: 1192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
10
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs explorer.exe no specs notepad.exe no specs cmd.exe no specs cmd.exe searchindexer.exe no specs searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1192"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1302019708-1500728564-335382590-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1816"C:\Windows\System32\NOTEPAD.EXE" C:\Windows\bacha.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1956"C:\Windows\system32\SearchFilterHost.exe" 0 524 528 536 65536 532 C:\Windows\System32\SearchFilterHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Filter Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2036C:\Windows\system32\cmd.exe /c ""C:\Windows\bacha.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2168C:\Windows\system32\cmd.exe /c ""C:\Windows\bacha.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2636"C:\Windows\System32\cmd.exe" /C "C:\Windows\bacha.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2804C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2816"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2828C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
6 436
Read events
5 860
Write events
369
Delete events
207

Modification events

(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:
010000009F3D029D230C00000300000000000000
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:
01000000C7AD039D230C00000100000000000000
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:00000bdc
Value:
010000003C09049D230C00000400000000000000
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager
Operation:writeName:UseSystemTemp
Value:
0
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex
Operation:writeName:SystemLcid
Value:
1033
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\3
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(2828) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\5
Operation:writeName:CrawlControl
Value:
0
Executable files
0
Suspicious files
28
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2804SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
2828SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
2828SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00002.jrsbinary
MD5:87E50E8586DBA6B53A60855024388427
SHA256:4EC923270DB17DB7609FE39206BEBBCE31483D4AEEE6A7D69D854BD89910B8B0
2804SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkbinary
MD5:B0BCC38CA1F8F6D6CFBD28633CDC65C4
SHA256:D3F3D76B6DF37AB71AD4173908653CA41DA41D81B9FECE207695C46C49C0DB16
2636cmd.exeC:\Windows\System32\Config\TxR\{6cced300-6e01-11de-8bed-001e0bcd1824}.TxR.2.regtrans-ms
MD5:
SHA256:
2804SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\SETTINGS.DIAbinary
MD5:4352D88A78AA39750BF70CD6F27BCAA5
SHA256:67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
2804SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logbinary
MD5:4C1B8E0A250F04423FBC00B9C4E8B953
SHA256:3048E110A4DACC92500234E6B421FBBBA5E80371B756A41BD4C140437F48F083
2804SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAB0002.000binary
MD5:7CA2DA6F1E7BCA562D7D9376700A912F
SHA256:04FD7654331261FF9EC331C31B238BA7770F082ABFB817D7881813EC02084A4E
2804SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002binary
MD5:B964F299062F2F2359AC1327B45B8C70
SHA256:F0C539CECD83B0795A7278BD83A98449176F7EBD6FAF998EB727380F181B5D26
2804SearchIndexer.exeC:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAD0001.000binary
MD5:7CA2DA6F1E7BCA562D7D9376700A912F
SHA256:04FD7654331261FF9EC331C31B238BA7770F082ABFB817D7881813EC02084A4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bacha.bat