File name:

ICRM-ICCB-CRM_PATCH.cmd

Full analysis: https://app.any.run/tasks/1d612b00-4296-44f0-80a7-1f4706bcaaee
Verdict: Malicious activity
Analysis date: April 29, 2025, 12:16:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (1232), with CRLF line terminators
MD5:

352A803C9C6E9C092939ECE1911DC062

SHA1:

62D1BD61ABED4243EBB094A5EAB50E03DDC51196

SHA256:

D25BB7173F16389182DC38151B890093EABE94D85DFA3BA06BB59FBE57E32FC2

SSDEEP:

24576:57/xBDgmrY0qt5sAvQQu5t8nCtw7EEBB3m0nFK/T9BSr8COxz7hgHRIPl5OEV1lW:XBEeY0YW95t8CtQVK/hA6l5OEV1lW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 7188)
      • expha.pif (PID: 7224)
      • expha.pif (PID: 7248)
      • expha.pif (PID: 7272)
      • ghf.pif (PID: 7356)

    • Process drops legitimate windows executable

      • extrac32.exe (PID: 7188)
      • expha.pif (PID: 7224)
      • expha.pif (PID: 7248)

    • Drops a file with a rarely used extension (PIF)

      • extrac32.exe (PID: 7188)
      • expha.pif (PID: 7224)
      • expha.pif (PID: 7248)
      • expha.pif (PID: 7272)
      • ghf.pif (PID: 7356)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6728)
      • alpha.pif (PID: 7296)
      • alpha.pif (PID: 7340)
      • rdha.pif (PID: 7436)

    • Process drops legitimate windows executable (CertUtil.exe)

      • expha.pif (PID: 7272)

    • Starts itself from another location

      • cmd.exe (PID: 6728)

    • Reads security settings of Internet Explorer

      • rdha.pif (PID: 7436)
      • chrome.PIF (PID: 7480)

    • Reads the date of Windows installation

      • rdha.pif (PID: 7436)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6728)

    • Application launched itself

      • cmd.exe (PID: 6728)

    • There is functionality for taking screenshot (YARA)

      • chrome.PIF (PID: 7480)

    • Runs PING.EXE to delay simulation

      • alpha.pif (PID: 7384)

  • INFO

    • Reads the computer name

      • extrac32.exe (PID: 7188)
      • ghf.pif (PID: 7312)
      • ghf.pif (PID: 7356)
      • rdha.pif (PID: 7436)
      • chrome.PIF (PID: 7480)

    • Checks supported languages

      • extrac32.exe (PID: 7188)
      • expha.pif (PID: 7224)
      • expha.pif (PID: 7248)
      • expha.pif (PID: 7272)
      • ghf.pif (PID: 7312)
      • ghf.pif (PID: 7356)
      • alpha.pif (PID: 7296)
      • alpha.pif (PID: 7340)
      • rdha.pif (PID: 7436)
      • chrome.PIF (PID: 7480)
      • alpha.pif (PID: 7384)

    • Creates files in the program directory

      • extrac32.exe (PID: 7188)
      • expha.pif (PID: 7248)
      • expha.pif (PID: 7224)
      • expha.pif (PID: 7272)
      • ghf.pif (PID: 7312)
      • ghf.pif (PID: 7356)

    • The sample compiled with english language support

      • expha.pif (PID: 7248)
      • extrac32.exe (PID: 7188)
      • expha.pif (PID: 7224)
      • expha.pif (PID: 7272)

    • Process checks computer location settings

      • rdha.pif (PID: 7436)

    • Compiled with Borland Delphi (YARA)

      • chrome.PIF (PID: 7480)

    • Checks proxy server information

      • chrome.PIF (PID: 7480)

    • Reads the software policy settings

      • chrome.PIF (PID: 7480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
17
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs extrac32.exe expha.pif expha.pif expha.pif alpha.pif no specs ghf.pif no specs alpha.pif no specs ghf.pif alpha.pif no specs ping.exe no specs rdha.pif no specs chrome.pif cmd.exe no specs sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6728C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Downloads\ICRM-ICCB-CRM_PATCH.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7188extrac32 /C /Y "C:\\Windows\\System32\\extrac32.exe" "C:\\ProgramData\\expha.pif" C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7224C:\\ProgramData\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\ProgramData\\alpha.pif" C:\ProgramData\expha.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7248C:\\ProgramData\\expha.pif /C /Y "C:\\Windows\\System32\\rundll32.exe" "C:\\ProgramData\\rdha.pif" C:\ProgramData\expha.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7272C:\\ProgramData\\expha.pif /C /Y "C:\Windows\System32\certutil.exe" "C:\\ProgramData\\ghf.pif" C:\ProgramData\expha.pif
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7296C:\\ProgramData\\alpha.pif /C C:\\ProgramData\\ghf.pif -decodehex -f "C:\Users\admin\Downloads\ICRM-ICCB-CRM_PATCH.cmd" "C:\\ProgramData\\donex.avi" 9 C:\ProgramData\alpha.pifcmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7312C:\\ProgramData\\ghf.pif -decodehex -f "C:\Users\admin\Downloads\ICRM-ICCB-CRM_PATCH.cmd" "C:\\ProgramData\\donex.avi" 9 C:\ProgramData\ghf.pifalpha.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\ghf.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
7340C:\\ProgramData\\alpha.pif /C C:\\ProgramData\\ghf.pif -decodehex -f "C:\\ProgramData\\donex.avi" "C:\\ProgramData\\chrome.PIF" 12 C:\ProgramData\alpha.pifcmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7356C:\\ProgramData\\ghf.pif -decodehex -f "C:\\ProgramData\\donex.avi" "C:\\ProgramData\\chrome.PIF" 12 C:\ProgramData\ghf.pif
alpha.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\ghf.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
Total events
1 602
Read events
1 601
Write events
1
Delete events
0

Modification events

(PID) Process:(7436) rdha.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
5
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7272expha.pifC:\ProgramData\ghf.pifexecutable
MD5:A7A5B67EC704EAC6D6E6AF0489353F42
SHA256:BF072F9A6A15B550B13AE86A4FBD3FA809D2A13236847AE9FA9A68F41386106E
7224expha.pifC:\ProgramData\alpha.pifexecutable
MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5
SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
7188extrac32.exeC:\ProgramData\expha.pifexecutable
MD5:41330D97BF17D07CD4308264F3032547
SHA256:A224559FD6621066347A5BA8F4AEECEEA8A0A7A881A71BD36DE69ACEB52E9DF7
7356ghf.pifC:\ProgramData\chrome.PIFexecutable
MD5:ACD0B2AAA537D886B764BD5F643A91FB
SHA256:CE0EC23076B723CEC7C9D79441CF6C31CFDA8274DC9BE58D50227C33C04D2672
7312ghf.pifC:\ProgramData\donex.avitext
MD5:E5F887E947D7EEBE6D1FA94515FE10E0
SHA256:7FF9696FC483BC1FF5EFCA40783E0EA768F321321EF8BC2E5015F53A847F1246
7248expha.pifC:\ProgramData\rdha.pifexecutable
MD5:100F56A73211E0B2BCD076A55E6393FD
SHA256:00BE065F405E93233CC2F0012DEFDCBB1D6817B58969D5FFD9FD72FC4783C6F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
25
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7224
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7224
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.162:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
6988
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7480
chrome.PIF
188.114.97.3:443
persone.pro
CLOUDFLARENET
NL
unknown
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.162
  • 23.48.23.193
  • 23.48.23.159
  • 23.48.23.194
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.150
  • 23.48.23.158
  • 23.48.23.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.1
  • 20.190.159.131
  • 40.126.31.69
  • 40.126.31.131
  • 40.126.31.0
  • 20.190.159.129
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
persone.pro
  • 188.114.97.3
  • 188.114.96.3
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ICRM-ICCB-CRM_PATCH.cmd