7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
Size

5.7MB
MD5

706704da7601ee1d23e0b4e1ddb7966f
SHA1

1234d648ff9d7625aa9b8c43295df2cfbb15c967
SHA256

7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924
SHA512

a8c1ac73787a7638d064a93a0f8b7db0e10eef685c54397932e5faafac52558e0e762ef418640dda0dcd54bb542256db71acc17c2c03f1f20e1e43301308964c
SSDEEP

98304:1zw2cH457oTOfe6WEEH8gSLO6ZWBGhusJVjnnCZWq82zPJJlKpSGchcBrahwNO+t:xcH45kGe6WEnXZW14VjnC8u5KpSGcaBD

Score

7^/10

vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
4612	DongleServer.exe
2780	DongleServer.exe

Loads dropped DLL 9 IoCs

pid	Process
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00070000000231b8-26.dat	vmprotect
behavioral2/files/0x00070000000231b8-27.dat	vmprotect
behavioral2/memory/4612-28-0x0000000062C20000-0x0000000062C5C000-memory.dmp	vmprotect
behavioral2/memory/4612-76-0x0000000062C20000-0x0000000062C5C000-memory.dmp	vmprotect
behavioral2/files/0x00070000000231b8-83.dat	vmprotect
behavioral2/memory/2780-149-0x0000000062C20000-0x0000000062C5C000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4612	DongleServer.exe
2780	DongleServer.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log	DongleServer.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\__tmp_rar_sfx_access_check_240615078	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log	DongleServer.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File opened for modification	C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log	DongleServer.exe
File opened for modification	C:\Program Files (x86)\3Shape	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
File created	C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1944	sc.exe
2236	sc.exe
2980	sc.exe
4680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
208	taskkill.exe
4756	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	DongleServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	DongleServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	DongleServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	DongleServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	DongleServer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings	mshta.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
4612	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe
2780	DongleServer.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	4612	DongleServer.exe
Token: SeDebugPrivilege	2780	DongleServer.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeShutdownPrivilege	2312	powercfg.exe
Token: SeCreatePagefilePrivilege	2312	powercfg.exe
Token: SeShutdownPrivilege	4524	powercfg.exe
Token: SeCreatePagefilePrivilege	4524	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeCreatePagefilePrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	640	powercfg.exe
Token: SeCreatePagefilePrivilege	640	powercfg.exe
Token: SeShutdownPrivilege	2096	powercfg.exe
Token: SeCreatePagefilePrivilege	2096	powercfg.exe
Token: SeShutdownPrivilege	4316	powercfg.exe
Token: SeCreatePagefilePrivilege	4316	powercfg.exe
Token: SeShutdownPrivilege	396	powercfg.exe
Token: SeCreatePagefilePrivilege	396	powercfg.exe
Token: SeShutdownPrivilege	3732	powercfg.exe
Token: SeCreatePagefilePrivilege	3732	powercfg.exe
Token: SeShutdownPrivilege	4236	powercfg.exe
Token: SeCreatePagefilePrivilege	4236	powercfg.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeCreatePagefilePrivilege	1580	powercfg.exe
Token: SeShutdownPrivilege	2408	powercfg.exe
Token: SeCreatePagefilePrivilege	2408	powercfg.exe
Token: SeShutdownPrivilege	448	powercfg.exe
Token: SeCreatePagefilePrivilege	448	powercfg.exe
Token: SeShutdownPrivilege	4612	powercfg.exe
Token: SeCreatePagefilePrivilege	4612	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 208	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	86
PID 1820 wrote to memory of 208	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	86
PID 1820 wrote to memory of 208	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	86
PID 1820 wrote to memory of 4756	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	89
PID 1820 wrote to memory of 4756	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	89
PID 1820 wrote to memory of 4756	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	89
PID 1820 wrote to memory of 4216	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	92
PID 1820 wrote to memory of 4216	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	92
PID 1820 wrote to memory of 4216	1820	7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe	92
PID 4216 wrote to memory of 4120	4216	cmd.exe	95
PID 4216 wrote to memory of 4120	4216	cmd.exe	95
PID 4216 wrote to memory of 4120	4216	cmd.exe	95
PID 4216 wrote to memory of 1056	4216	cmd.exe	96
PID 4216 wrote to memory of 1056	4216	cmd.exe	96
PID 4216 wrote to memory of 1056	4216	cmd.exe	96
PID 4216 wrote to memory of 4504	4216	cmd.exe	98
PID 4216 wrote to memory of 4504	4216	cmd.exe	98
PID 4216 wrote to memory of 4504	4216	cmd.exe	98
PID 4504 wrote to memory of 3244	4504	mshta.exe	101
PID 4504 wrote to memory of 3244	4504	mshta.exe	101
PID 4504 wrote to memory of 3244	4504	mshta.exe	101
PID 3244 wrote to memory of 1944	3244	cmd.exe	103
PID 3244 wrote to memory of 1944	3244	cmd.exe	103
PID 3244 wrote to memory of 1944	3244	cmd.exe	103
PID 3244 wrote to memory of 2236	3244	cmd.exe	104
PID 3244 wrote to memory of 2236	3244	cmd.exe	104
PID 3244 wrote to memory of 2236	3244	cmd.exe	104
PID 3244 wrote to memory of 2980	3244	cmd.exe	105
PID 3244 wrote to memory of 2980	3244	cmd.exe	105
PID 3244 wrote to memory of 2980	3244	cmd.exe	105
PID 3244 wrote to memory of 4680	3244	cmd.exe	106
PID 3244 wrote to memory of 4680	3244	cmd.exe	106
PID 3244 wrote to memory of 4680	3244	cmd.exe	106
PID 3244 wrote to memory of 4612	3244	cmd.exe	107
PID 3244 wrote to memory of 4612	3244	cmd.exe	107
PID 3244 wrote to memory of 4612	3244	cmd.exe	107
PID 3244 wrote to memory of 440	3244	cmd.exe	110
PID 3244 wrote to memory of 440	3244	cmd.exe	110
PID 3244 wrote to memory of 440	3244	cmd.exe	110
PID 440 wrote to memory of 4780	440	net.exe	111
PID 440 wrote to memory of 4780	440	net.exe	111
PID 440 wrote to memory of 4780	440	net.exe	111
PID 2780 wrote to memory of 4104	2780	DongleServer.exe	115
PID 2780 wrote to memory of 4104	2780	DongleServer.exe	115
PID 2780 wrote to memory of 4104	2780	DongleServer.exe	115
PID 2780 wrote to memory of 2312	2780	DongleServer.exe	118
PID 2780 wrote to memory of 2312	2780	DongleServer.exe	118
PID 2780 wrote to memory of 2312	2780	DongleServer.exe	118
PID 2780 wrote to memory of 4524	2780	DongleServer.exe	119
PID 2780 wrote to memory of 4524	2780	DongleServer.exe	119
PID 2780 wrote to memory of 4524	2780	DongleServer.exe	119
PID 2780 wrote to memory of 1632	2780	DongleServer.exe	122
PID 2780 wrote to memory of 1632	2780	DongleServer.exe	122
PID 2780 wrote to memory of 1632	2780	DongleServer.exe	122
PID 2780 wrote to memory of 640	2780	DongleServer.exe	123
PID 2780 wrote to memory of 640	2780	DongleServer.exe	123
PID 2780 wrote to memory of 640	2780	DongleServer.exe	123
PID 2780 wrote to memory of 2096	2780	DongleServer.exe	125
PID 2780 wrote to memory of 2096	2780	DongleServer.exe	125
PID 2780 wrote to memory of 2096	2780	DongleServer.exe	125
PID 2780 wrote to memory of 4316	2780	DongleServer.exe	127
PID 2780 wrote to memory of 4316	2780	DongleServer.exe	127
PID 2780 wrote to memory of 4316	2780	DongleServer.exe	127
PID 2780 wrote to memory of 396	2780	DongleServer.exe	129

C:\Users\Admin\AppData\Local\Temp\7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe
"C:\Users\Admin\AppData\Local\Temp\7dd570dc785119b92871362d089f10ca781c027ad04433ae042c7a2622570924.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /t /im "DongleServer.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /t /im "DentalDesktopServer.NTService.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ver"
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\find.exe
    find "5."
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("C:\PROGRA~2\3Shape\DONGLE~1\CRACK4~1.BAT","goto :Admin","","runas",1)(window.close)
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\PROGRA~2\3Shape\DONGLE~1\CRACK4~1.BAT" goto :Admin
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\System32\sc config DentalUpdater start=auto
        5⤵
        Launches sc.exe
        
        PID:1944
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\System32\sc config ThreeShapeDentalManagerService start=auto
        5⤵
        Launches sc.exe
        
        PID:2236
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\System32\sc config DongleServerService start=auto
        5⤵
        Launches sc.exe
        
        PID:2980
    - - C:\Windows\SysWOW64\sc.exe
        
        C:\Windows\System32\sc config DentalDesktopServer start=auto
        5⤵
        Launches sc.exe
        
        PID:4680
    - - C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
        
        "C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe" /install /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
    - - C:\Windows\SysWOW64\net.exe
        
        C:\Windows\System32\net start DongleServerService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start DongleServerService
        6⤵
        
        PID:4780
    - - C:\Windows\SysWOW64\net.exe
        
        C:\Windows\System32\net start DentalDesktopServer
        5⤵
        
        PID:2900
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start DentalDesktopServer
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\net.exe
        
        C:\Windows\System32\net start ThreeShapeDentalManagerService
        5⤵
        
        PID:832
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start ThreeShapeDentalManagerService
        6⤵
        
        PID:4188

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setacvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\SysWOW64\powercfg.exe
  "C:\Windows\system32\powercfg.exe" -setdcvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat

Filesize
112KB

MD5
0230a9f24d7fa8759f457d17452b909e

SHA1
c176b404560260cdad3a1ad2143784c13176dff1

SHA256
98271745c1eca49fff504d936f75cbc101050085760aadc8311c1a5eedcbb81b

SHA512
5699bfb1e4136ed718f9ec6d25ebfa6d6e788f5cff189f721195be136de7f3b8509520e58bb9b188c31f39ff719a2d208efbc39b84a6abaaaa543198a8c0d0bc

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat

Filesize
112KB

MD5
0230a9f24d7fa8759f457d17452b909e

SHA1
c176b404560260cdad3a1ad2143784c13176dff1

SHA256
98271745c1eca49fff504d936f75cbc101050085760aadc8311c1a5eedcbb81b

SHA512
5699bfb1e4136ed718f9ec6d25ebfa6d6e788f5cff189f721195be136de7f3b8509520e58bb9b188c31f39ff719a2d208efbc39b84a6abaaaa543198a8c0d0bc

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\3s.dat

Filesize
112KB

MD5
0230a9f24d7fa8759f457d17452b909e

SHA1
c176b404560260cdad3a1ad2143784c13176dff1

SHA256
98271745c1eca49fff504d936f75cbc101050085760aadc8311c1a5eedcbb81b

SHA512
5699bfb1e4136ed718f9ec6d25ebfa6d6e788f5cff189f721195be136de7f3b8509520e58bb9b188c31f39ff719a2d208efbc39b84a6abaaaa543198a8c0d0bc

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml

Filesize
1KB

MD5
03e755200772d78f08a5a15b66cfa1b6

SHA1
42e903a8ad88437765bc9de32444a108fab765c2

SHA256
ff6b53313e59b2b77abd2e2ee5fe590f5cbeecf8785bee279a4f312f3bf48783

SHA512
f7863f1dfccb6d7c2b5d57965702d5614a961df2770a0f5eb41a54ad274e879d59bec0f7fc0f8e7a2d00138c9b77c1a1a9d091574021b1256559fc592fe5d325

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\Crack4Dental.bat

Filesize
1KB

MD5
e1f27afeac3b5a37368e89db21f6510b

SHA1
e38e0b2fe09317ea43171e7d88890f796390f4d8

SHA256
ec1a552aef8bff45fbeed30309e1618ce816767a741f15073e08ab1acf5d5839

SHA512
8dab8969128640e57089f6807c57dd63f594a98809b52db320aee44958f7fb3dd5877989a8aa03e130696758701e586ae442a7ce4cec3b28a1ea80c646c98f38

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DDCHANGE.DLL

Filesize
95KB

MD5
37850c457c42e8b48b4b4dd8255fcbac

SHA1
39e9ab478096b3186ba99930952339e648a37247

SHA256
c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224

SHA512
45e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll

Filesize
151KB

MD5
42772d7f0cf71d62f307408419ff8162

SHA1
a8be2f013fbb7851799b4e255791b8a5bf24bca6

SHA256
e8ed3378b1dcf98650f20c1a44cf08b5d82f2a632200570ea7954d5fbc1c3372

SHA512
7b8a9369beb0dbdb9fe93e434b87a4d5be513cce82d0e205c3c7268684899021010f47ae215caf92442ddbd7dd779ae67c21279e3a816d522400cc58ad619b45

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll

Filesize
151KB

MD5
42772d7f0cf71d62f307408419ff8162

SHA1
a8be2f013fbb7851799b4e255791b8a5bf24bca6

SHA256
e8ed3378b1dcf98650f20c1a44cf08b5d82f2a632200570ea7954d5fbc1c3372

SHA512
7b8a9369beb0dbdb9fe93e434b87a4d5be513cce82d0e205c3c7268684899021010f47ae215caf92442ddbd7dd779ae67c21279e3a816d522400cc58ad619b45

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll

Filesize
151KB

MD5
42772d7f0cf71d62f307408419ff8162

SHA1
a8be2f013fbb7851799b4e255791b8a5bf24bca6

SHA256
e8ed3378b1dcf98650f20c1a44cf08b5d82f2a632200570ea7954d5fbc1c3372

SHA512
7b8a9369beb0dbdb9fe93e434b87a4d5be513cce82d0e205c3c7268684899021010f47ae215caf92442ddbd7dd779ae67c21279e3a816d522400cc58ad619b45

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

Filesize
5.2MB

MD5
e819c6b87d38f3f2ab9dba469adff60e

SHA1
97d0f78c839da1a075f3554506d71d801429e8b0

SHA256
e598cb8d49c566f7a818a03ed979a4433a29b08f5adcd8067b1ced7303dad4b3

SHA512
594ea7dbcdfbc9e886b31a9bff00d3c9f5ad79acfb8194bee58fd7b9bd5360cbd0202b53bf8e4aa8c099e0cd7d7d79b8283cd829f3834d2a2b1f1f5f52b5bf83

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

Filesize
5.2MB

MD5
e819c6b87d38f3f2ab9dba469adff60e

SHA1
97d0f78c839da1a075f3554506d71d801429e8b0

SHA256
e598cb8d49c566f7a818a03ed979a4433a29b08f5adcd8067b1ced7303dad4b3

SHA512
594ea7dbcdfbc9e886b31a9bff00d3c9f5ad79acfb8194bee58fd7b9bd5360cbd0202b53bf8e4aa8c099e0cd7d7d79b8283cd829f3834d2a2b1f1f5f52b5bf83

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

Filesize
5.2MB

MD5
e819c6b87d38f3f2ab9dba469adff60e

SHA1
97d0f78c839da1a075f3554506d71d801429e8b0

SHA256
e598cb8d49c566f7a818a03ed979a4433a29b08f5adcd8067b1ced7303dad4b3

SHA512
594ea7dbcdfbc9e886b31a9bff00d3c9f5ad79acfb8194bee58fd7b9bd5360cbd0202b53bf8e4aa8c099e0cd7d7d79b8283cd829f3834d2a2b1f1f5f52b5bf83

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

Filesize
290B

MD5
b866bddd9e4eb75148b5d884f42886bf

SHA1
09d37ce55fa7ccc563432212e8e1832dae7c2779

SHA256
b6346dd6259e0dc254dc51a41898d6e2f3db66783c15910a3bd594c5b091aacf

SHA512
588139af7753d715eeac92e3526ca8f2d9a8d0673f727ebb9abdd7312205fb21fb495894ea11421e035e0da87e02819330303e48e77ee1b7c1ed57d00bbf735a

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml

Filesize
581B

MD5
c9cf83c3e2068cb8d3d6a75096ed4f0c

SHA1
647bc9eddc3e863807ccea1bbd9fd7e0f270b7c8

SHA256
073651fc93394e138b41330db4172fb02e08867a1cb661960e1d7d873791bfd6

SHA512
0c1c13306dc7dbb93ff524bfb00b1330bd70b65043ab56a6d5fd6d1639dc6f6472fa4086e1596839556f16af9b7bc51168bf0f4b84f90113498f9323ed81a2ec

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv

Filesize
3.6MB

MD5
c3ba93bd9cfb4a0f88499512251de2d0

SHA1
e4a820d34bf0be8c72992509430ecc0f29c0ee3d

SHA256
2f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6

SHA512
018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv

Filesize
3.6MB

MD5
c3ba93bd9cfb4a0f88499512251de2d0

SHA1
e4a820d34bf0be8c72992509430ecc0f29c0ee3d

SHA256
2f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6

SHA512
018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv

Filesize
3.6MB

MD5
c3ba93bd9cfb4a0f88499512251de2d0

SHA1
e4a820d34bf0be8c72992509430ecc0f29c0ee3d

SHA256
2f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6

SHA512
018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll

Filesize
95KB

MD5
37850c457c42e8b48b4b4dd8255fcbac

SHA1
39e9ab478096b3186ba99930952339e648a37247

SHA256
c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224

SHA512
45e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll

Filesize
95KB

MD5
37850c457c42e8b48b4b4dd8255fcbac

SHA1
39e9ab478096b3186ba99930952339e648a37247

SHA256
c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224

SHA512
45e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8

Download Submit
C:\Program Files (x86)\3Shape\Dongle Server Service\winspool.drv

Filesize
3.6MB

MD5
c3ba93bd9cfb4a0f88499512251de2d0

SHA1
e4a820d34bf0be8c72992509430ecc0f29c0ee3d

SHA256
2f72740f5ecd9804e5d5664950704cf0570f52c042977f62df872810e3fa60c6

SHA512
018ef462569fcf24928d7816768b07f2b3ecdaf92efe32ecf1a8d99b59a7db4b07c0eb4c07eb5ae724656db80503b702b8f253934b19dc4bbb96337458cffe0a

Download Submit
memory/2780-114-0x0000000074710000-0x0000000074EB0000-memory.dmp

Filesize
7.6MB

Download
memory/2780-101-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/2780-125-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/2780-131-0x0000000003AE0000-0x0000000003AFD000-memory.dmp

Filesize
116KB

Download
memory/2780-134-0x0000000074710000-0x0000000074EB0000-memory.dmp

Filesize
7.6MB

Download
memory/2780-135-0x0000000003AE0000-0x0000000003AFD000-memory.dmp

Filesize
116KB

Download
memory/2780-120-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/2780-121-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/2780-136-0x0000000003AE0000-0x0000000003AFD000-memory.dmp

Filesize
116KB

Download
memory/2780-119-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/2780-92-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/2780-113-0x00000000014D0000-0x00000000014DE000-memory.dmp

Filesize
56KB

Download
memory/2780-108-0x00000000014D0000-0x00000000014DE000-memory.dmp

Filesize
56KB

Download
memory/2780-107-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2780-106-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/2780-104-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/2780-105-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/2780-137-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/2780-138-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/2780-103-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/2780-102-0x0000000001470000-0x0000000001471000-memory.dmp

Filesize
4KB

Download
memory/2780-130-0x0000000003AE0000-0x0000000003AFD000-memory.dmp

Filesize
116KB

Download
memory/2780-140-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/2780-100-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/2780-99-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/2780-98-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2780-93-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/2780-94-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/2780-95-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/2780-96-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/2780-97-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/2780-141-0x0000000003AE0000-0x0000000003AFD000-memory.dmp

Filesize
116KB

Download
memory/2780-142-0x0000000003AE0000-0x0000000003AFD000-memory.dmp

Filesize
116KB

Download
memory/2780-149-0x0000000062C20000-0x0000000062C5C000-memory.dmp

Filesize
240KB

Download
memory/2780-84-0x0000000074710000-0x0000000074EB0000-memory.dmp

Filesize
7.6MB

Download
memory/2780-86-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/2780-87-0x0000000074710000-0x0000000074EB0000-memory.dmp

Filesize
7.6MB

Download
memory/2780-89-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2780-90-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2780-88-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2780-85-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2780-91-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/4612-46-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/4612-80-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/4612-79-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/4612-78-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/4612-77-0x00000000748F0000-0x0000000075090000-memory.dmp

Filesize
7.6MB

Download
memory/4612-76-0x0000000062C20000-0x0000000062C5C000-memory.dmp

Filesize
240KB

Download
memory/4612-74-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/4612-73-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4612-69-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/4612-67-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/4612-66-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/4612-63-0x00000000761C0000-0x00000000762B0000-memory.dmp

Filesize
960KB

Download
memory/4612-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4612-59-0x00000000748F0000-0x0000000075090000-memory.dmp

Filesize
7.6MB

Download
memory/4612-58-0x0000000002960000-0x000000000296E000-memory.dmp

Filesize
56KB

Download
memory/4612-53-0x0000000002960000-0x000000000296E000-memory.dmp

Filesize
56KB

Download
memory/4612-52-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/4612-51-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/4612-50-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4612-49-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/4612-48-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/4612-47-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/4612-45-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4612-44-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/4612-43-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/4612-42-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/4612-41-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4612-40-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4612-39-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4612-37-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4612-38-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/4612-36-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4612-35-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/4612-34-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4612-33-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4612-32-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/4612-30-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/4612-31-0x00000000748F0000-0x0000000075090000-memory.dmp

Filesize
7.6MB

Download
memory/4612-29-0x00000000748F0000-0x0000000075090000-memory.dmp

Filesize
7.6MB

Download
memory/4612-28-0x0000000062C20000-0x0000000062C5C000-memory.dmp

Filesize
240KB

Download