File name:

hkcmd.exe

Full analysis: https://app.any.run/tasks/247d0012-9a84-40fc-890a-b937c58106a3
Verdict: Malicious activity
Threats:

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Malware Trends Tracker     >>>
Analysis date: April 14, 2025, 21:15:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
dbatloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

05EF4CA659965C1D3FAA58077B0F9943

SHA1:

C168978862AA0A8D00C7F9B359DC5E8059AC7844

SHA256:

00B229DE51C409D79B0084465543C9197F797D4A835290EBF72CBCE75CFB2044

SSDEEP:

49152:ll4svCOqCOdSqg6olwGDcDIGDcDVkYeMy6dSsAwzlnV/EXiK0vSXHe2l3scCV4RJ:Fcat7dSGxESf2+w3fCmywcelkEsVj7Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DBATLOADER has been detected (YARA)

      • hkcmd.exe (PID: 7356)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • hkcmd.exe (PID: 7356)

    • Executing commands from ".cmd" file

      • hkcmd.exe (PID: 7356)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7952)

    • Reads security settings of Internet Explorer

      • hkcmd.exe (PID: 7356)

    • Starts CMD.EXE for commands execution

      • hkcmd.exe (PID: 7356)

    • Likely accesses (executes) a file from the Public directory

      • esentutl.exe (PID: 8048)
      • alpha.pif (PID: 8100)
      • alpha.pif (PID: 8080)

    • Drops a file with a rarely used extension (PIF)

      • esentutl.exe (PID: 8048)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 8048)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 8100)
      • alpha.pif (PID: 8080)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7916)

    • Executes application which crashes

      • hkcmd.exe (PID: 7356)

    • Created directory related to system

      • alpha.pif (PID: 8080)

    • Starts itself from another location

      • cmd.exe (PID: 7916)

  • INFO

    • Checks proxy server information

      • hkcmd.exe (PID: 7356)

    • Checks supported languages

      • hkcmd.exe (PID: 7356)
      • alpha.pif (PID: 8100)
      • alpha.pif (PID: 8080)

    • Reads the computer name

      • hkcmd.exe (PID: 7356)

    • Compiled with Borland Delphi (YARA)

      • hkcmd.exe (PID: 7356)

    • Creates files in the program directory

      • hkcmd.exe (PID: 7356)

    • The sample compiled with english language support

      • esentutl.exe (PID: 8048)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6964)

    • Reads the software policy settings

      • slui.exe (PID: 7444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (35.1)
.exe | Win32 EXE PECompact compressed (generic) (33.9)
.exe | Win32 Executable Delphi generic (11.5)
.scr | Windows screen saver (10.6)
.exe | Win32 Executable (generic) (3.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 460800
InitializedDataSize: 1243648
UninitializedDataSize: -
EntryPoint: 0x7182c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
14
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DBATLOADER hkcmd.exe sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs colorcpl.exe no specs werfault.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6964C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7356 -s 1416C:\Windows\SysWOW64\WerFault.exehkcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7208C:\Windows\System32\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exehkcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Color Control Panel
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7356"C:\Users\admin\AppData\Local\Temp\hkcmd.exe" C:\Users\admin\AppData\Local\Temp\hkcmd.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\hkcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7396C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7444"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7916C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\8401.cmdC:\Windows\SysWOW64\cmd.exehkcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7952C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\21117.cmdC:\Windows\SysWOW64\cmd.exehkcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7968\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 958
Read events
2 958
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6964WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hkcmd.exe_9c25bed666bef16eb1154bf93a3aecbbf76768_251f22e3_6cc4ce09-5848-44f9-bdce-f28068e39f94\Report.wer
MD5:
SHA256:
6964WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\hkcmd.exe.7356.dmpbinary
MD5:D64E232CB7502F006134AE1466CEBE7C
SHA256:1471C1122C6FF49BD8704DFA718104EB6D6E639506C059EDAF44E9B3FDD56B22
7356hkcmd.exeC:\ProgramData\8401.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
6964WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1E35.tmp.xmlxml
MD5:BC405D3616BF6859A48FB9EA52348418
SHA256:478D28B570FF20E0170F182325357822C0D3EFA0A5520C5C056C9E79550DBC47
7356hkcmd.exeC:\ProgramData\21117.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
6964WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1903.tmp.dmpbinary
MD5:F67F5C17A857BB8FC763A0F4BC89C619
SHA256:621A1922DB55ED50C21DCE43D3ED35B1666F2494AFF25298FDB760F107769978
6964WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1DA8.tmp.WERInternalMetadata.xmlbinary
MD5:200AB65471980BB508D586DBEF003CF2
SHA256:9711763C7241A9D1E8805915782AA04C739ECE1818871574D641AACF3239248E
8048esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
7356hkcmd.exeC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7316
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7316
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7316
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7316
SIHClient.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.193
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.183
  • 23.48.23.150
  • 23.48.23.147
  • 23.48.23.194
  • 23.48.23.190
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.4
  • 40.126.32.76
  • 20.190.160.128
  • 20.190.160.17
  • 20.190.160.64
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
hkcmd.exe