418208780e0e41c8261e9650419ecca149a89933256986e69cb16e03bfcd5c4e

Analysis

max time kernel
34s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DG_MSActivator.exe
Size

15.6MB
MD5

1c36d0bfc25cb44b08a33a014bb349d8
SHA1

434b5b0f4c3dac53890ba503ee13fbfdc0209cfa
SHA256

b800105d30813807305d2649378669aceed89d948cdc044517f24910bac5b4c6
SHA512

c9a1f4df940d8c010cee37c3fa3625a30e2eaf7637d68f22373ef1499ef5445f67c59e2bfb723c7fe607c31e04d6194541ebca8fcd7c242cdc0138f2a2cdae1f
SSDEEP

393216:nC2gPsUHF5pzIsk5U3KL5z1IatTQ853RlmHbKwMHxzhzxiZ:nCzIlq3KLJZWOxH9lg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ApplicationFrameHelperRunner.exeApplicationFrameHelper.exe

pid process

4328 ApplicationFrameHelperRunner.exe
1088 ApplicationFrameHelper.exe
Modifies registry class 1 IoCs

Processes:

DG_MSActivator.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings DG_MSActivator.exe

pid	process
4328	ApplicationFrameHelperRunner.exe
1088	ApplicationFrameHelper.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	DG_MSActivator.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DG_MSActivator.exeApplicationFrameHelper.exe

pid	process
2004	DG_MSActivator.exe
2004	DG_MSActivator.exe
2004	DG_MSActivator.exe
2004	DG_MSActivator.exe
2004	DG_MSActivator.exe
2004	DG_MSActivator.exe
2004	DG_MSActivator.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
2004	DG_MSActivator.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe
1088	ApplicationFrameHelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DG_MSActivator.exeApplicationFrameHelper.exe

description pid process

Token: SeDebugPrivilege 2004 DG_MSActivator.exe
Token: SeDebugPrivilege 1088 ApplicationFrameHelper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2900 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	2004	DG_MSActivator.exe
Token: SeDebugPrivilege	1088	ApplicationFrameHelper.exe

pid	process
2900	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

DG_MSActivator.exeApplicationFrameHelperRunner.exe

description	pid	process	target process
PID 2004 wrote to memory of 4328	2004	DG_MSActivator.exe	ApplicationFrameHelperRunner.exe
PID 2004 wrote to memory of 4328	2004	DG_MSActivator.exe	ApplicationFrameHelperRunner.exe
PID 2004 wrote to memory of 4328	2004	DG_MSActivator.exe	ApplicationFrameHelperRunner.exe
PID 4328 wrote to memory of 1088	4328	ApplicationFrameHelperRunner.exe	ApplicationFrameHelper.exe
PID 4328 wrote to memory of 1088	4328	ApplicationFrameHelperRunner.exe	ApplicationFrameHelper.exe
PID 4328 wrote to memory of 1088	4328	ApplicationFrameHelperRunner.exe	ApplicationFrameHelper.exe

C:\Users\Admin\AppData\Local\Temp\DG_MSActivator.exe
"C:\Users\Admin\AppData\Local\Temp\DG_MSActivator.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHelperRunner.exe
"C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHelperRunner.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHelper.exe
"ApplicationFrameHelper.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\0leziycc.newcfg

Filesize
2KB

MD5
4c40cd83b86fd96de9382f02b4d6f64c

SHA1
20a62b4229292d2709e6e20aa1fa95fb3ff9fcd2

SHA256
5792e1966beb02ddfd5dcf6ce1cdd83bdc6cbf6ce787e95c69dac58a4927f233

SHA512
1d5133554a043e8d47ea494636efcab9a877be344270be79cdb322832ceed2dee26f747b2cbdb6452f09f612ef874adc4ad0725b30d7bfc70ee61a2b209c9148

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\4qfploo4.newcfg

Filesize
2KB

MD5
196ef26e37664e710726075010b550d7

SHA1
394e1cdbca381b22e0537e04492d04efc308a1b6

SHA256
9f28209d595e25f85a87add2abe381542a3b0e42e99985ab5ab74f54f1bd6cc1

SHA512
a4bc80214af704ebea39d0dbdd2d3187022320103995a4731df05e525f9bab261660634412baf1ed357259295ddb4e1048393ed4ceffd53411027bc978e57dd4

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\bodsgk33.newcfg

Filesize
1KB

MD5
308eb3c54471c9a486e8bab221baeb8d

SHA1
b92383ceab061ef4e305afdbb7196233594d7225

SHA256
e70182fa4140117c0c06ae7322b87de257acf7a51a328e85b6f1b8303180790c

SHA512
c7428c6ad98be175580d598d8667140a582810015fbf3af3d72fd372e8f0457785a23bccea479e3f4571ae7cbbe2089f3af49f512d95a8d424818d252c00e199

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\g1c1x2zn.newcfg

Filesize
2KB

MD5
7d1178c8121f05435e98bbede99aee0f

SHA1
c865749460acf9a01daac12082634a7cf8297fbc

SHA256
d1e04210299be25cf90c72872339130dcc59781375e4ab75937d1b79b04077cc

SHA512
79d35cda06db07889d4e0d675747c68c5095022b2a209724ba63b5c3160765bcd911fb90b032a69580da3da9ed53be045a2f1967b0db07b147253ab666156bae

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\nmf0olm0.newcfg

Filesize
1KB

MD5
04502ace94066e4d88cd5a178d76beb8

SHA1
9b19743a8c97cedad82083c7c858a64fdb17e3ff

SHA256
f45b13c9ba2694bb35da494e9b87a0c2aee471a1f4dc34c566c1472e6f4d4547

SHA512
95f219450523e5eb495ab3fe88e59d71ce34685db23457aa89118a7a54626dabc50865863b845a3714e46710d1f50ed1d1c6d0b406327edb2e6bbd31986c3e84

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\o4mddqge.newcfg

Filesize
1KB

MD5
f23eca8f41873211bdc8196d89cc8d1a

SHA1
dba0637ccb059ded23aa6b43b2ad51bae2a2912a

SHA256
62cd5310c2aa451f968b0536a3c436a2f85410a526fd7de4cacbe604b40261d7

SHA512
3d47c372836f30f69f4d7d4901ab93b2875105686c0e81362d61fe279ee3b68514f47cf99dadaed21885f11884e96310e5d5bcc9667bc51da523ec9a4a1b1d21

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\qcui5wc2.newcfg

Filesize
2KB

MD5
9a9b81e00b128cbaad769c47d1ec58b9

SHA1
32fc6ef7c7fdf56a0eb50b27ff213eb633f3df12

SHA256
07ef8b4b9a05d18eab20d53d275a19df2fd4deab8ff03ab4f8089b146a6d92d5

SHA512
46e8f4322b40b18078d00b02fe6834b481c527af409df46f487638f5a4558aa0d71e0ddd0a28c655bf58830e1b7b0a4f827ad36c35a427a6822321a3955a8c7b

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\sbbwt4uv.newcfg

Filesize
1KB

MD5
8cad8b00f28bc937a92571d0230add1b

SHA1
0a153e1396cd32ae3057e663b3732752e8144773

SHA256
1ed9e4b5ed2108e9acf830133662e43810a0552b2a5ed92b84414d846c04a785

SHA512
61f11317a82d0868597a6974f0d20cb1a2526705db179ce1678d54265400393b15cc23a398bd10539370d9be2e827aea683093cda9c670345c84236247ffdeaf

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\user.config

Filesize
823B

MD5
6d1af2da69efe7c699d64251a913ff2f

SHA1
2cfd10f1da663386c98e62ff18d8c0ab851ccb75

SHA256
801759250ed08e1b525d7920b85156b6070e67c8ba207fa9d1897797040a507e

SHA512
d84b7c7add8db65f67fb825d6c0bfeeecc931c3d87cc2b42a059f517c79e6cb055776025dabe8da36deb70f3da334f6794b03c570d4311933b5129bab11901a2

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\user.config

Filesize
1KB

MD5
4f072c7da01355b4046c9a6191a5a983

SHA1
8348ab758fc941d9b3d859adf04654ad901fa696

SHA256
d28ebeeabc2017f4bdb7bf8d3ab118d4a5d7a40facab253bf86e982a8a20d7a9

SHA512
41684cfcc4b6abff8cbf2042a96ae6fe54c22d904e9d5bfc2f7df8525155c280154eae3d2549a636f26603bb948f223be468de70c7618b853d7ed5fb0c767d75

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\user.config

Filesize
2KB

MD5
64cdfa6d4cd120332bdc93431f7c7bf6

SHA1
c0b732e690b7d29097f27d35d40b592ccdf01d8e

SHA256
830ab27c5d6861ec6103c7e4b3bed3276f099f33706c7484b0519bc94cf28ca0

SHA512
08dc85eeac06d59fa9d7a52ee0aa649c00f15b06027a34509fd1fe31bf45b4e693d622ad14f583af0752be059dedd96d1aecb637725c115dd0b233eaa40b7983

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\y2jwz0az.newcfg

Filesize
2KB

MD5
7b94496ec6775d315e1f3a1b4cf226b1

SHA1
02f75de7be73fa8d82b2636364282d8239898820

SHA256
83b7c915ac6ff1296cb516525b6f4e7dcfeb6e1cb5915d2371a68e3b1bd624ad

SHA512
eb287fb1d978ebc0ed9667ba4456d3e2ca568b0e2b4a0bafb2a0c849e5c3edccb1718f50a157fe141d7939177d01e7b1727582c59567fc85a2b487e738a2fd05

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\ye4rnjhm.newcfg

Filesize
1KB

MD5
4b3cc5324a4efd06e19edd5ba71f92a4

SHA1
a9ad0d096a4cf547bfdb4f64425fc197cda849a9

SHA256
0636145c712a8f0d133185b9ecf5a3792e11fb114ff80867d4f1716cc79bd18b

SHA512
b9f3a176b09dcff0449470a3c03343a817f66992dde9f727e57b95db2d9decc25e6a148da0a2b30815a0a48691aebd855e5672bf40a6a8b16c0668445c8dac3c

Download Submit
C:\Users\Admin\AppData\Local\DenuvoGames.store\DG_MSActivator.exe_Url_mwpciftpcy103i1hmbgbikiio4vucb4f\6.3.0.0\zbob4a35.newcfg

Filesize
950B

MD5
892cad5a019cdd24e04e8cb2ffd5639f

SHA1
f2f6af24de896165e74ee211057868ee62e5be47

SHA256
ab5348f27dbed4b7ea607273a3ec4220a488c186f79ba538f6e2bfbbff4a1d86

SHA512
6cdfe6ff7e44ce7b80d413553b37a7cd635c37227583400ecf6b624a7a69e0e42853ad49713906fd081a02335bd9271976e3534b2dee8a8a6e14352b0c67611c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHelper.exe

Filesize
9KB

MD5
7f91015a9b34463eea988337dac26d1f

SHA1
2b7d7d4da90ee1dadabcde3c2805426452af0be4

SHA256
b990f85fa409ea574dec43b2029b73ce12042ae59474779ce24dba8e26a562f9

SHA512
a23c63034333927cc1df631d1614a9aa26e387d7f190d54261e102a0119c3460e1aee80bf2238acc7dd12145bd7e4c0a6fe303a25a5d0263b393572f3acc1480

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHelperRunner.exe

Filesize
7KB

MD5
bc1f046c706c9c6840754f6c59140102

SHA1
74310a097db99ab74dd6024530f499e621c141db

SHA256
cec8d87f3cba247acdbc2b59274ca5a08a2082da927a5fdbf9f9c9b9c11ecab9

SHA512
44a8bf0c335a4be87e3db2fd5d6367035ae3f4fd8ba0128526982d9a50f199b3ba38dc75d1a233bbb952ef5d7d926fe9db2e1cd3d8df61b58d61162f63c0cd69

Download Submit
memory/1088-42-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/1088-43-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2004-58-0x00000245FE2A0000-0x00000245FE2C2000-memory.dmp

Filesize
136KB

Download
memory/2004-199-0x00007FFBA3163000-0x00007FFBA3165000-memory.dmp

Filesize
8KB

Download
memory/2004-57-0x000002458DD90000-0x000002458DE38000-memory.dmp

Filesize
672KB

Download
memory/2004-203-0x00000245E4930000-0x00000245E4940000-memory.dmp

Filesize
64KB

Download
memory/2004-36-0x00000245E4930000-0x00000245E4940000-memory.dmp

Filesize
64KB

Download
memory/2004-202-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/2004-201-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/2004-31-0x00000245FE3C0000-0x00000245FE464000-memory.dmp

Filesize
656KB

Download
memory/2004-6-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/2004-3-0x0000024588000000-0x000002458A1B6000-memory.dmp

Filesize
33.7MB

Download
memory/2004-2-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/2004-185-0x000002458E050000-0x000002458E05A000-memory.dmp

Filesize
40KB

Download
memory/2004-1-0x00000245E35A0000-0x00000245E453A000-memory.dmp

Filesize
15.6MB

Download
memory/2004-0-0x00007FFBA3163000-0x00007FFBA3165000-memory.dmp

Filesize
8KB

Download
memory/2004-200-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/4328-34-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/4328-35-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/4328-37-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download