File name:

horreur.bat

Full analysis: https://app.any.run/tasks/0f61982a-fda5-4288-ae39-e3be7eea36e9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 05, 2025, 22:46:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

240AA6E988C6657D37009E1813EC421B

SHA1:

A7AD45B81805CE69B6C485FE0AFE6A6E68C33BE0

SHA256:

6817DAC3D0A1DC54B5F01709CACB4E31C33342C5B35EA8E7B5EB989F35483665

SSDEEP:

6:h8VcH1YAa+o5lBo0BEQHzyYp3HzoNo8cXe9NFHHz83v35mPebUlWeFFF/e5vn:OQPa+qlOCEULpDXPcFz8f4PFs6/yn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • takeown.exe (PID: 2124)

  • SUSPICIOUS

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6124)
      • cmd.exe (PID: 3520)
      • cmd.exe (PID: 6424)

    • The system shut down or reboot

      • cmd.exe (PID: 6124)
      • cmd.exe (PID: 3520)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 6124)
      • cmd.exe (PID: 3520)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 3520)
      • cmd.exe (PID: 6124)

    • The process checks if it is being run in the virtual environment

      • takeown.exe (PID: 2124)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 5020)
      • notepad.exe (PID: 2276)
      • cmd.exe (PID: 6124)
      • cmd.exe (PID: 3520)
      • cmd.exe (PID: 6424)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 2276)
      • notepad.exe (PID: 5020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
20
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs cmd.exe conhost.exe no specs timeout.exe no specs shutdown.exe no specs takeown.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs shutdown.exe no specs takeown.exe no specs icacls.exe no specs cmd.exe conhost.exe no specs timeout.exe no specs slui.exe no specs icacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
892timeout 80 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1636timeout 1 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1728takeown /f "C:\Windows\System32" /rC:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Takes ownership of a file
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
1732shutdown -r -t 80C:\Windows\System32\shutdown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shutdown and Annotation Tool
Exit code:
1190
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shutdownext.dll
2124takeown /f "C:\Windows\System32" /rC:\Windows\System32\takeown.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
2276"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\horreur.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3520C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\horreur.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225547
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3952icacls "C:\Windows\System32" /reset /t /c /qC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
4528icacls "C:\Windows\System32" /reset /t /c /qC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
Total events
778
Read events
778
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4528icacls.exeC:\Windows\System32\config\DRIVERS
MD5:
SHA256:
6424cmd.exeC:\Windows\System32\config\SOFTWARE.LOG2
MD5:
SHA256:
6424cmd.exeC:\Windows\System32\winevt\Logs\Application.evtx
MD5:
SHA256:
6424cmd.exeC:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx
MD5:
SHA256:
3520cmd.exeC:\Users\admin\Desktop\destroy.battext
MD5:EEB086A7854DAE6CDCE64F49EB87D64C
SHA256:5822C2222C4A4121A1667C7D483FF8B91E489A4C5E881C75A4354712BFE6F435
7156cmd.exeC:\Users\admin\Desktop\horreur.battext
MD5:240AA6E988C6657D37009E1813EC421B
SHA256:6817DAC3D0A1DC54B5F01709CACB4E31C33342C5B35EA8E7B5EB989F35483665
4528icacls.exeC:\Windows\System32\config\DRIVERS.LOG1binary
MD5:548D157BF532CD5A834BA852E25B7949
SHA256:1603C0BEDF34DBD83E6E1E368E80C86A35208D6D8E9BF12695144DBFD2528A13
6124cmd.exeC:\Windows\System32\destroy.battext
MD5:EEB086A7854DAE6CDCE64F49EB87D64C
SHA256:5822C2222C4A4121A1667C7D483FF8B91E489A4C5E881C75A4354712BFE6F435
6424cmd.exeC:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtxbinary
MD5:BF14174472C723870B5A14FE038320BA
SHA256:60216470D059ABFC4EFF7F231276763CD225A04956F1317A0CB5392F896DE1DE
4528icacls.exeC:\Windows\System32\config\DEFAULT.LOG2binary
MD5:56A5BAF76C58B745E9AFF89CBEEBE2EF
SHA256:237CEAEA151847E16D7B6613BC1B31667F94A956AD34B7758F8B2738D229D0BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2292
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6380
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6380
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6732
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2292
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2292
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.20
  • 20.190.160.64
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.128
  • 20.190.160.130
  • 20.190.160.132
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
horreur.bat