File name:

DGHTDLPO.exe

Full analysis: https://app.any.run/tasks/bf2cc320-6735-4046-bd2f-fa83e3bdf32b
Verdict: Malicious activity
Analysis date: August 05, 2024, 18:37:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9C1C19B62C1BE57B9B5C0364A4C93C4F

SHA1:

98B65E9EA9264CC3BD5C70E903CA5DDBB0CD73F0

SHA256:

F311EA2334B5124D9F191FE46205673DA75905DB3E08930723A8932143CF6603

SSDEEP:

98304:LP/h/5E1SZVY4MGfLGJFnIEckBlmYP8UnxlHOt/nIgSZVdu4eN8A1Ao6XGhYthE0:lxiQtkbC+s46FQuHcf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • DGHTDLPO.exe (PID: 5172)
      • DGHTDLPO.exe (PID: 1420)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DGHTDLPO.exe (PID: 5172)
      • DGHTDLPO.exe (PID: 1420)

    • Starts itself from another location

      • DGHTDLPO.exe (PID: 5172)

    • Process drops legitimate windows executable

      • DGHTDLPO.exe (PID: 1420)

    • The process drops C-runtime libraries

      • DGHTDLPO.exe (PID: 1420)

    • Starts CMD.EXE for commands execution

      • hv.exe (PID: 876)

    • The executable file from the user directory is run by the CMD process

      • hv.exe (PID: 7136)

  • INFO

    • Checks supported languages

      • DGHTDLPO.exe (PID: 5172)
      • DGHTDLPO.exe (PID: 1420)
      • hv.exe (PID: 876)

    • Create files in a temporary directory

      • DGHTDLPO.exe (PID: 1420)
      • DGHTDLPO.exe (PID: 5172)
      • hv.exe (PID: 876)

    • Reads the computer name

      • DGHTDLPO.exe (PID: 1420)
      • hv.exe (PID: 876)

    • Reads Environment values

      • hv.exe (PID: 876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:11:18 22:00:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.11
CodeSize: 301568
InitializedDataSize: 160768
UninitializedDataSize: -
EntryPoint: 0x2e2a6
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.2.2.0
ProductVersionNumber: 1.2.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Salesroom
FileDescription: Neurosurgery
FileVersion: 1.2.2.0
InternalName: setup
LegalCopyright: Copyright (c) Salesroom. All rights reserved.
OriginalFileName: havildar.exe
ProductName: Neurosurgery
ProductVersion: 1.2.2.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dghtdlpo.exe dghtdlpo.exe hv.exe no specs cmd.exe no specs conhost.exe no specs hv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
876"C:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\hv.exe"C:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\hv.exeDGHTDLPO.exe
User:
admin
Company:
Handy Software
Integrity Level:
MEDIUM
Description:
Handy Viewer
Exit code:
1
Version:
2.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\{da2d1c2c-0113-430d-8069-aa7eca060381}\.ba\hv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1420"C:\Users\admin\AppData\Local\Temp\{B18EC210-E24D-498E-BFB0-70F540813DF7}\.cr\DGHTDLPO.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\DGHTDLPO.exe" -burn.filehandle.attached=592 -burn.filehandle.self=688 C:\Users\admin\AppData\Local\Temp\{B18EC210-E24D-498E-BFB0-70F540813DF7}\.cr\DGHTDLPO.exe
DGHTDLPO.exe
User:
admin
Company:
Salesroom
Integrity Level:
MEDIUM
Description:
Neurosurgery
Exit code:
0
Version:
1.2.2.0
Modules
Images
c:\users\admin\appdata\local\temp\{b18ec210-e24d-498e-bfb0-70f540813df7}\.cr\dghtdlpo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5172"C:\Users\admin\AppData\Local\Temp\DGHTDLPO.exe" C:\Users\admin\AppData\Local\Temp\DGHTDLPO.exe
explorer.exe
User:
admin
Company:
Salesroom
Integrity Level:
MEDIUM
Description:
Neurosurgery
Exit code:
0
Version:
1.2.2.0
Modules
Images
c:\users\admin\appdata\local\temp\dghtdlpo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6772C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exehv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7136C:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\hv.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\hv.execmd.exe
User:
admin
Company:
Handy Software
Integrity Level:
MEDIUM
Description:
Handy Viewer
Version:
2.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\hmwkpldwhcjyyw
Total events
522
Read events
522
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
6772cmd.exeC:\Users\admin\AppData\Local\Temp\hmwkpldwhcjyyw
MD5:
SHA256:
1420DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\cryostat.rtfbinary
MD5:110327DDDB6D656B93C034B1ADB4DB96
SHA256:C45634E7F07768D50911DD3B97EA2C37CD4134BEA0190344BA22A88C6B736251
5172DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{B18EC210-E24D-498E-BFB0-70F540813DF7}\.cr\DGHTDLPO.exeexecutable
MD5:E53B8CCDA0AE7260B7FFE32ACB75BCF8
SHA256:898B7A9730DACFDEEEB6CC68827C094ACBDC2691F54242AF2B447C1BC91907E9
1420DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\oik.aviimage
MD5:8FE4D09D338C3F1C059D25C8B291A33A
SHA256:E130261B4DB87C0486E9A31CC8AF02C90968724EF888DBDD98A620426414EBC8
1420DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\iepdf32.dllexecutable
MD5:88CC807A820640F44F6E470A03C77AA9
SHA256:6EB39C07A505D51032993C62A6511CEA90750EE106715DCB0B09A3B81B48B3AD
1420DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\Soap.dllexecutable
MD5:514772CA53B1059ECC457D66B03511DD
SHA256:9349639655ADDDB200C337BBCF3D3E5B4401F7219AE0FC6831C38FEB2FAFE55E
1420DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\BootstrapperApplicationData.xmlxml
MD5:8A2BE03D668F91764BA380461228F0A5
SHA256:DF119CF126B4E2EE91EBAE461E3A146921FE7D7B89CBDFD96FC2FEE255E54F82
1420DGHTDLPO.exeC:\Users\admin\AppData\Local\Temp\{DA2D1C2C-0113-430D-8069-AA7ECA060381}\.ba\hv.exeexecutable
MD5:480F8CF600F5509595B8418C6534CAF2
SHA256:6D8905EC0B1DFDC0A10D1CCE40714DDD73205A09AD390B933DDBECDCF06A4CF2
876hv.exeC:\Users\admin\AppData\Local\Temp\ILIST-1280311B.tmpgmc
MD5:EC87A838931D4D5D2E94A04644788A55
SHA256:8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
876hv.exeC:\Users\admin\AppData\Local\Temp\ICACHE-5EB3658B.tmpgmc
MD5:EC87A838931D4D5D2E94A04644788A55
SHA256:8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
39
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6656
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6700
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
5796
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3188
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.154
  • 104.126.37.129
  • 104.126.37.176
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.179
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
fd.api.iris.microsoft.com
  • 20.74.19.45
whitelisted
th.bing.com
  • 104.126.37.179
  • 104.126.37.153
  • 104.126.37.154
  • 104.126.37.129
  • 104.126.37.176
  • 104.126.37.123
  • 104.126.37.128
  • 104.126.37.130
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DGHTDLPO.exe