File name:

Objednavka_25710527.cmd

Full analysis: https://app.any.run/tasks/72fc6a7f-f3f5-41c3-9624-43925ff89922
Verdict: Malicious activity
Analysis date: April 29, 2025, 09:46:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (1232), with CRLF line terminators
MD5:

00B10A741EB8F2C914F83CB048DD174D

SHA1:

FADE082B20A88AC211AE7E6E5CBBB79AB73D9FF1

SHA256:

9D968540A796C21CA09FEB3EFC201AD3E6C57FCE267BA05A08A337DD1E14AACF

SSDEEP:

49152:9PvF3OHzPPT0u2J6EdQJk21KsexQ+EHZsBxJbsgET:g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 5960)
      • expha.pif (PID: 2908)
      • expha.pif (PID: 2136)
      • expha.pif (PID: 6040)
      • ghf.pif (PID: 7200)
      • esentutl.exe (PID: 8136)
      • chrome.PIF (PID: 7324)

    • Drops a file with a rarely used extension (PIF)

      • extrac32.exe (PID: 5960)
      • expha.pif (PID: 2908)
      • expha.pif (PID: 2136)
      • expha.pif (PID: 6040)
      • ghf.pif (PID: 7200)
      • esentutl.exe (PID: 8136)
      • chrome.PIF (PID: 7324)

    • Process drops legitimate windows executable

      • extrac32.exe (PID: 5960)
      • expha.pif (PID: 2908)
      • expha.pif (PID: 2136)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3896)
      • alpha.pif (PID: 1300)
      • alpha.pif (PID: 7184)
      • rdha.pif (PID: 7284)
      • cmd.exe (PID: 7996)
      • chrome.PIF (PID: 7324)

    • Process drops legitimate windows executable (CertUtil.exe)

      • expha.pif (PID: 6040)

    • Starts itself from another location

      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 7996)

    • Runs PING.EXE to delay simulation

      • alpha.pif (PID: 7232)
      • cmd.exe (PID: 8012)

    • Reads security settings of Internet Explorer

      • rdha.pif (PID: 7284)
      • chrome.PIF (PID: 7324)

    • Reads the date of Windows installation

      • rdha.pif (PID: 7284)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3896)
      • chrome.PIF (PID: 7324)

    • There is functionality for taking screenshot (YARA)

      • chrome.PIF (PID: 7324)

    • Application launched itself

      • cmd.exe (PID: 3896)

    • Executing commands from ".cmd" file

      • chrome.PIF (PID: 7324)

    • Created directory related to system

      • alpha.pif (PID: 8168)

    • Likely accesses (executes) a file from the Public directory

      • alpha.pif (PID: 8168)
      • alpha.pif (PID: 8188)
      • esentutl.exe (PID: 8136)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 8168)
      • alpha.pif (PID: 8188)

  • INFO

    • Creates files in the program directory

      • extrac32.exe (PID: 5960)
      • expha.pif (PID: 2908)
      • expha.pif (PID: 2136)
      • ghf.pif (PID: 1276)
      • ghf.pif (PID: 7200)
      • expha.pif (PID: 6040)
      • chrome.PIF (PID: 7324)

    • Reads the computer name

      • extrac32.exe (PID: 5960)
      • ghf.pif (PID: 1276)
      • ghf.pif (PID: 7200)
      • rdha.pif (PID: 7284)
      • chrome.PIF (PID: 7324)

    • Checks supported languages

      • extrac32.exe (PID: 5960)
      • expha.pif (PID: 2908)
      • expha.pif (PID: 2136)
      • expha.pif (PID: 6040)
      • alpha.pif (PID: 1300)
      • alpha.pif (PID: 7184)
      • ghf.pif (PID: 1276)
      • ghf.pif (PID: 7200)
      • alpha.pif (PID: 7232)
      • rdha.pif (PID: 7284)
      • chrome.PIF (PID: 7324)
      • alpha.pif (PID: 8168)
      • alpha.pif (PID: 8188)
      • cgtvfwqI.pif (PID: 7216)

    • The sample compiled with english language support

      • extrac32.exe (PID: 5960)
      • expha.pif (PID: 2908)
      • expha.pif (PID: 2136)
      • expha.pif (PID: 6040)
      • esentutl.exe (PID: 8136)
      • chrome.PIF (PID: 7324)

    • Process checks computer location settings

      • rdha.pif (PID: 7284)

    • Checks proxy server information

      • chrome.PIF (PID: 7324)

    • Compiled with Borland Delphi (YARA)

      • chrome.PIF (PID: 7324)

    • Reads the software policy settings

      • chrome.PIF (PID: 7324)

    • Reads the machine GUID from the registry

      • chrome.PIF (PID: 7324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
26
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs extrac32.exe expha.pif expha.pif expha.pif alpha.pif no specs ghf.pif no specs alpha.pif no specs ghf.pif alpha.pif no specs ping.exe no specs rdha.pif no specs chrome.pif cmd.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cgtvfwqi.pif no specs

Process information

PID
CMD
Path
Indicators
Parent process
1276C:\\ProgramData\\ghf.pif -decodehex -f "C:\Users\admin\Desktop\Objednavka_25710527.cmd" "C:\\ProgramData\\donex.avi" 9 C:\ProgramData\ghf.pifalpha.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\ghf.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
1300C:\\ProgramData\\alpha.pif /C C:\\ProgramData\\ghf.pif -decodehex -f "C:\Users\admin\Desktop\Objednavka_25710527.cmd" "C:\\ProgramData\\donex.avi" 9 C:\ProgramData\alpha.pifcmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2136C:\\ProgramData\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\ProgramData\\rdha.pif" C:\ProgramData\expha.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2908C:\\ProgramData\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\ProgramData\\alpha.pif" C:\ProgramData\expha.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3896C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Objednavka_25710527.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5960extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\ProgramData\\expha.pif" C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6040C:\\ProgramData\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\ProgramData\\ghf.pif" C:\ProgramData\expha.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7184C:\\ProgramData\\alpha.pif /C C:\\ProgramData\\ghf.pif -decodehex -f "C:\\ProgramData\\donex.avi" "C:\\ProgramData\\chrome.PIF" 12 C:\ProgramData\alpha.pifcmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7200C:\\ProgramData\\ghf.pif -decodehex -f "C:\\ProgramData\\donex.avi" "C:\\ProgramData\\chrome.PIF" 12 C:\ProgramData\ghf.pif
alpha.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\ghf.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
Total events
1 863
Read events
1 862
Write events
1
Delete events
0

Modification events

(PID) Process:(7284) rdha.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
7
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2908expha.pifC:\ProgramData\alpha.pifexecutable
MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5
SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
5960extrac32.exeC:\ProgramData\expha.pifexecutable
MD5:41330D97BF17D07CD4308264F3032547
SHA256:A224559FD6621066347A5BA8F4AEECEEA8A0A7A881A71BD36DE69ACEB52E9DF7
2136expha.pifC:\ProgramData\rdha.pifexecutable
MD5:100F56A73211E0B2BCD076A55E6393FD
SHA256:00BE065F405E93233CC2F0012DEFDCBB1D6817B58969D5FFD9FD72FC4783C6F4
8136esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
1276ghf.pifC:\ProgramData\donex.avitext
MD5:C351D470389095B4D9FF905027D47303
SHA256:4A6217650FD04F7A3BA1CC105F7FD3A5A4398A24FF8644EE7395283BDC623183
7200ghf.pifC:\ProgramData\chrome.PIFexecutable
MD5:ECD7A91603EA4ED1F45C8BC6400679C8
SHA256:2F8D684263C0813C102F3D6243334B93F8AD608C4B7F888F1BB5D69F1E47F534
7324chrome.PIFC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
7324chrome.PIFC:\ProgramData\3421.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
7324chrome.PIFC:\ProgramData\20101.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
6040expha.pifC:\ProgramData\ghf.pifexecutable
MD5:A7A5B67EC704EAC6D6E6AF0489353F42
SHA256:BF072F9A6A15B550B13AE86A4FBD3FA809D2A13236847AE9FA9A68F41386106E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4024
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.129
  • 40.126.31.131
  • 40.126.31.3
  • 20.190.159.131
  • 40.126.31.69
  • 40.126.31.1
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
mack-concord.hr
  • 195.29.178.20
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Objednavka_25710527.cmd