File name:

horreur.bat

Full analysis: https://app.any.run/tasks/effb580e-7cdb-4703-90db-75ccdfdafa22
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 05, 2025, 22:58:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

198FD47234DDC9D5A67BA2CD93D1FFF8

SHA1:

19BCEAD2E297ED0AD5D0B1CB65C912BFA9E2AD64

SHA256:

CA51D01A4B6F4C2E9D340CF634C6EEEA4C77554D78C1E120C5D5BD0D9004403B

SSDEEP:

6:h8VcH1YAa+o5lBo0BEQHzyYp3HzoNo8cXe9NFHHz83Rx35mPebUlWeFFF/e5vn:OQPa+qlOCEULpDXPcFz834PFs6/yn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • takeown.exe (PID: 1508)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • takeown.exe (PID: 1508)
      • icacls.exe (PID: 1812)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 6460)
      • cmd.exe (PID: 432)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6460)
      • cmd.exe (PID: 432)
      • cmd.exe (PID: 7056)

    • The system shut down or reboot

      • cmd.exe (PID: 6460)
      • cmd.exe (PID: 432)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 432)
      • cmd.exe (PID: 6460)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 3656)
      • cmd.exe (PID: 6460)
      • cmd.exe (PID: 432)
      • cmd.exe (PID: 7056)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
19
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs notepad.exe no specs cmd.exe conhost.exe no specs timeout.exe no specs shutdown.exe no specs takeown.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs shutdown.exe no specs takeown.exe no specs icacls.exe no specs cmd.exe conhost.exe no specs timeout.exe no specs slui.exe no specs icacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\horreur.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1136timeout 80 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1508takeown /f "C:\Windows\System32" /rC:\Windows\System32\takeown.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
1560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1812icacls "C:\Windows\System32" /reset /t /c /qC:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
3656"C:\WINDOWS\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\horreur.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3740timeout 1 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3884shutdown -r -t 75C:\Windows\System32\shutdown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shutdownext.dll
4960takeown /f "C:\Windows\System32" /rC:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Takes ownership of a file
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
Total events
618
Read events
618
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7056cmd.exeC:\Windows\System32\config\DRIVERS
MD5:
SHA256:
7056cmd.exeC:\Windows\System32\winevt\Logs\Security.evtx
MD5:
SHA256:
5644icacls.exeC:\Windows\System32\config\SYSTEM.LOG2binary
MD5:8E97255E8A3A648557512BF9B133B11F
SHA256:5E33E42337FC111CF3C9B17CB67BE7B7C27AA960A8B9002D40FC3534A9BEE5B0
432cmd.exeC:\Users\admin\Desktop\destroy.battext
MD5:EEB086A7854DAE6CDCE64F49EB87D64C
SHA256:5822C2222C4A4121A1667C7D483FF8B91E489A4C5E881C75A4354712BFE6F435
5644icacls.exeC:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtxbinary
MD5:E16D6D4E13BEC326A730F9BBED78B7F4
SHA256:8F01C4B7767678D6997735A330B0BB26FC2E000FCD46B376B2656C2638608111
5644icacls.exeC:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtxbinary
MD5:848E8ECBF6AE7AC0B090187ACDDB68CD
SHA256:0333B3E263453710B002E08D99CB5E2E5FA3A5641581FB635C11735426D72D1A
5644icacls.exeC:\Windows\System32\winevt\Logs\Microsoft-Windows-NcdAutoSetup%4Operational.evtxbinary
MD5:A5DEDC22D5A544109BC2F98F3E128FAF
SHA256:2449FEF0C68F9ACC7C5AAA2FE302F79737C1AB36B3D5A76B349C17D04CCF63A6
5952cmd.exeC:\Users\admin\Desktop\horreur.battext
MD5:198FD47234DDC9D5A67BA2CD93D1FFF8
SHA256:CA51D01A4B6F4C2E9D340CF634C6EEEA4C77554D78C1E120C5D5BD0D9004403B
5644icacls.exeC:\Windows\System32\config\DEFAULT.LOG2binary
MD5:F6607A2BFA8425440D9FFAC05D3696B6
SHA256:025DC55266FC5FF76681703AB2ADCB2EB794F3378636D98B20C372C6AA98245D
5644icacls.exeC:\Windows\System32\winevt\Logs\Microsoft-Windows-NlaSvc%4Operational.evtxbinary
MD5:59A1494282544AA14EDC260E8D8304B9
SHA256:097DA001855BCD28638645EE5F10321A4F7554B42A9E24BC6AC1488D41AD1AD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3908
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2764
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3908
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6672
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3908
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3908
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
horreur.bat