File name:

Test LoLbin.bat

Full analysis: https://app.any.run/tasks/e3be4412-ce4a-4e14-ad4f-999c9e2fde3b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 27, 2024, 15:23:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

13B59766B7093DFE77E09976FEC17418

SHA1:

A53989FBBE4CA8FE505FB672664183320E4EFDCD

SHA256:

D8F16EF9C87C66FE49ED0A1E0498E321444D9FC20EBB7DDD802BED19C87CBFF1

SSDEEP:

12:5IxpO3jpZ9YfxlfRAY0FADmHQKDAuNLVXil8YVP0YVLlPa/Vv/tafB73A:6kL9Yfxlf20DmHNkuN0l339a/x/sfJA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CertUtil for downloading files

      • cmd.exe (PID: 6652)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • certutil.exe (PID: 6724)

    • Drops 7-zip archiver for unpacking

      • certutil.exe (PID: 6724)

    • Potential Corporate Privacy Violation

      • certutil.exe (PID: 6724)

    • Process requests binary or script from the Internet

      • certutil.exe (PID: 6724)

  • INFO

    • Checks proxy server information

      • certutil.exe (PID: 6724)

    • Creates files or folders in the user directory

      • certutil.exe (PID: 6724)

    • Reads the software policy settings

      • certutil.exe (PID: 6724)

    • Reads security settings of Internet Explorer

      • certutil.exe (PID: 6724)

    • Drops the executable file immediately after the start

      • certutil.exe (PID: 6724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs certutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
6652C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Test LoLbin.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6724certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exeC:\Windows\System32\certutil.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
Total events
3 944
Read events
3 933
Write events
11
Delete events
0

Modification events

(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6724) certutil.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6724certutil.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\7z1604-x64[1].exeexecutable
MD5:04584F3AED5B27FD0AC2751B36273D94
SHA256:9BB4DC4FAB2A2A45C15723C259DC2F7313C89A5AC55AB7C3F76BBA26EDC8BCAA
6724certutil.exeC:\Users\admin\Desktop\7zip.exeexecutable
MD5:04584F3AED5B27FD0AC2751B36273D94
SHA256:9BB4DC4FAB2A2A45C15723C259DC2F7313C89A5AC55AB7C3F76BBA26EDC8BCAA
6724certutil.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0BBC7BDFC5DE8921990E93244F2B95E7executable
MD5:04584F3AED5B27FD0AC2751B36273D94
SHA256:9BB4DC4FAB2A2A45C15723C259DC2F7313C89A5AC55AB7C3F76BBA26EDC8BCAA
6724certutil.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0BBC7BDFC5DE8921990E93244F2B95E7binary
MD5:2516E9F8F28F100469F4D73291D326EA
SHA256:F41B8C3EA3E5ABD6FBBF95504C07CD2A3191BF0B36D83B4CB2433090EBB24D4F
6724certutil.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\7z1604-x64[1].htmhtml
MD5:BD2695F4B079C71DBDDDE3436286FB9C
SHA256:2E04A18FF185BA5B16F762A0538339BC4049ACEAEF9738EDD43AF77D2CEB788B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
4
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.195.249.173:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.195.249.173:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6724
certutil.exe
GET
301
49.12.202.237:80
http://7-zip.org/a/7z1604-x64.exe
unknown
unknown
6724
certutil.exe
GET
301
49.12.202.237:80
http://7-zip.org/a/7z1604-x64.exe
unknown
unknown
6724
certutil.exe
GET
200
49.12.202.237:443
https://7-zip.org/a/7z1604-x64.exe
unknown
executable
1.32 Mb
6724
certutil.exe
GET
200
49.12.202.237:443
https://7-zip.org/a/7z1604-x64.exe
unknown
executable
1.32 Mb
2908
OfficeClickToRun.exe
POST
200
52.168.117.170:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5140
MoUsoCoreWorker.exe
23.195.249.173:80
www.microsoft.com
AKAMAI-AS
CZ
unknown
23.195.249.173:80
www.microsoft.com
AKAMAI-AS
CZ
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5380
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5456
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6724
certutil.exe
49.12.202.237:80
7-zip.org
Hetzner Online GmbH
DE
unknown
6724
certutil.exe
49.12.202.237:443
7-zip.org
Hetzner Online GmbH
DE
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 23.195.249.173
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
7-zip.org
  • 49.12.202.237
unknown
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Test LoLbin.bat