Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe
Resource
win10v2004-20240508-en
General
-
Target
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe
-
Size
5.1MB
-
MD5
42eb620e3bd578f6a854f3fd9707d66a
-
SHA1
e328d5fab3840415fdd02ae7f3d12181f94568f2
-
SHA256
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d
-
SHA512
b35e80a54a828d7e80f6702f61f8f5c1acc5bfdba37358e2bd077da5a8567619f49f65460ecde865970694982d76fa2dd9d97e25fe8bbd3bc3dddc0d85e446a2
-
SSDEEP
98304:1zQuOP7cqK3k+BfwhIJkJFnvLcbRSIGEWJB0jX6ENkSH32nm:WuSchRdJkJlvaFFWTQ6EC6am
Malware Config
Signatures
-
Executes dropped EXE 12 IoCs
pid Process 1728 DongleServer.exe 2732 DongleServer.exe 1048 DongleServer.exe 1616 DongleServer.exe 2928 DongleServer.exe 2060 DongleServer.exe 1544 DongleServer.exe 2488 DongleServer.exe 2492 DongleServer.exe 2432 DongleServer.exe 2004 DongleServer.exe 2016 DongleServer.exe -
Loads dropped DLL 64 IoCs
pid Process 2796 cmd.exe 1728 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 1048 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe -
resource yara_rule behavioral1/files/0x0009000000015c9a-33.dat vmprotect behavioral1/memory/1728-75-0x0000000073EC0000-0x000000007448C000-memory.dmp vmprotect -
Power Settings 1 TTPs 6 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2276 powercfg.exe 1808 powercfg.exe 2416 powercfg.exe 684 powercfg.exe 552 powercfg.exe 1480 powercfg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 1728 DongleServer.exe 2732 DongleServer.exe 1048 DongleServer.exe 1616 DongleServer.exe 2928 DongleServer.exe 2060 DongleServer.exe 1544 DongleServer.exe 2488 DongleServer.exe 2492 DongleServer.exe 2432 DongleServer.exe 2004 DongleServer.exe 2016 DongleServer.exe -
Drops file in Program Files directory 33 IoCs
description ioc Process File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\hwid.txt cmd.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\__tmp_rar_sfx_access_check_259396450 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2496 sc.exe 2520 sc.exe 2224 sc.exe 2972 sc.exe -
pid Process 832 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 4 IoCs
pid Process 2200 taskkill.exe 2076 taskkill.exe 2680 taskkill.exe 2448 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" DongleServer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1728 DongleServer.exe 1728 DongleServer.exe 1728 DongleServer.exe 1728 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 2732 DongleServer.exe 1048 DongleServer.exe 1048 DongleServer.exe 1048 DongleServer.exe 1048 DongleServer.exe 832 powershell.exe 1616 DongleServer.exe 1616 DongleServer.exe 1616 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2928 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 2060 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 1544 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2488 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe 2492 DongleServer.exe 2432 DongleServer.exe 2432 DongleServer.exe 2432 DongleServer.exe 2004 DongleServer.exe 2004 DongleServer.exe 2004 DongleServer.exe 2016 DongleServer.exe 2016 DongleServer.exe 2016 DongleServer.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 2680 taskkill.exe Token: SeDebugPrivilege 2448 taskkill.exe Token: SeShutdownPrivilege 1480 powercfg.exe Token: SeShutdownPrivilege 552 powercfg.exe Token: SeShutdownPrivilege 1808 powercfg.exe Token: SeShutdownPrivilege 2416 powercfg.exe Token: SeShutdownPrivilege 2276 powercfg.exe Token: SeShutdownPrivilege 684 powercfg.exe Token: SeDebugPrivilege 832 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2200 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 28 PID 1732 wrote to memory of 2200 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 28 PID 1732 wrote to memory of 2200 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 28 PID 1732 wrote to memory of 2200 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 28 PID 1732 wrote to memory of 2076 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 31 PID 1732 wrote to memory of 2076 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 31 PID 1732 wrote to memory of 2076 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 31 PID 1732 wrote to memory of 2076 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 31 PID 1732 wrote to memory of 2796 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 33 PID 1732 wrote to memory of 2796 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 33 PID 1732 wrote to memory of 2796 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 33 PID 1732 wrote to memory of 2796 1732 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 33 PID 2796 wrote to memory of 2680 2796 cmd.exe 35 PID 2796 wrote to memory of 2680 2796 cmd.exe 35 PID 2796 wrote to memory of 2680 2796 cmd.exe 35 PID 2796 wrote to memory of 2680 2796 cmd.exe 35 PID 2796 wrote to memory of 2448 2796 cmd.exe 36 PID 2796 wrote to memory of 2448 2796 cmd.exe 36 PID 2796 wrote to memory of 2448 2796 cmd.exe 36 PID 2796 wrote to memory of 2448 2796 cmd.exe 36 PID 2796 wrote to memory of 2496 2796 cmd.exe 37 PID 2796 wrote to memory of 2496 2796 cmd.exe 37 PID 2796 wrote to memory of 2496 2796 cmd.exe 37 PID 2796 wrote to memory of 2496 2796 cmd.exe 37 PID 2796 wrote to memory of 2520 2796 cmd.exe 38 PID 2796 wrote to memory of 2520 2796 cmd.exe 38 PID 2796 wrote to memory of 2520 2796 cmd.exe 38 PID 2796 wrote to memory of 2520 2796 cmd.exe 38 PID 2796 wrote to memory of 2224 2796 cmd.exe 39 PID 2796 wrote to memory of 2224 2796 cmd.exe 39 PID 2796 wrote to memory of 2224 2796 cmd.exe 39 PID 2796 wrote to memory of 2224 2796 cmd.exe 39 PID 2796 wrote to memory of 2972 2796 cmd.exe 40 PID 2796 wrote to memory of 2972 2796 cmd.exe 40 PID 2796 wrote to memory of 2972 2796 cmd.exe 40 PID 2796 wrote to memory of 2972 2796 cmd.exe 40 PID 2796 wrote to memory of 1728 2796 cmd.exe 41 PID 2796 wrote to memory of 1728 2796 cmd.exe 41 PID 2796 wrote to memory of 1728 2796 cmd.exe 41 PID 2796 wrote to memory of 1728 2796 cmd.exe 41 PID 2796 wrote to memory of 2284 2796 cmd.exe 42 PID 2796 wrote to memory of 2284 2796 cmd.exe 42 PID 2796 wrote to memory of 2284 2796 cmd.exe 42 PID 2796 wrote to memory of 2284 2796 cmd.exe 42 PID 2284 wrote to memory of 2700 2284 net.exe 43 PID 2284 wrote to memory of 2700 2284 net.exe 43 PID 2284 wrote to memory of 2700 2284 net.exe 43 PID 2284 wrote to memory of 2700 2284 net.exe 43 PID 2732 wrote to memory of 552 2732 DongleServer.exe 45 PID 2732 wrote to memory of 552 2732 DongleServer.exe 45 PID 2732 wrote to memory of 552 2732 DongleServer.exe 45 PID 2732 wrote to memory of 552 2732 DongleServer.exe 45 PID 2732 wrote to memory of 1480 2732 DongleServer.exe 46 PID 2732 wrote to memory of 1480 2732 DongleServer.exe 46 PID 2732 wrote to memory of 1480 2732 DongleServer.exe 46 PID 2732 wrote to memory of 1480 2732 DongleServer.exe 46 PID 2732 wrote to memory of 2276 2732 DongleServer.exe 49 PID 2732 wrote to memory of 2276 2732 DongleServer.exe 49 PID 2732 wrote to memory of 2276 2732 DongleServer.exe 49 PID 2732 wrote to memory of 2276 2732 DongleServer.exe 49 PID 2732 wrote to memory of 1808 2732 DongleServer.exe 50 PID 2732 wrote to memory of 1808 2732 DongleServer.exe 50 PID 2732 wrote to memory of 1808 2732 DongleServer.exe 50 PID 2732 wrote to memory of 1808 2732 DongleServer.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /t /im "DongleServer.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /t /im "DentalDesktopServer.NTService.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat" "2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\taskkill.exeC:\Windows\System32\taskkill /f /t /im "DongleServer.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\SysWOW64\taskkill.exeC:\Windows\System32\taskkill /f /t /im "DentalDesktopServer.NTService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DentalUpdater start=auto3⤵
- Launches sc.exe
PID:2496
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config ThreeShapeDentalManagerService start=auto3⤵
- Launches sc.exe
PID:2520
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DongleServerService start=auto3⤵
- Launches sc.exe
PID:2224
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DentalDesktopServer start=auto3⤵
- Launches sc.exe
PID:2972
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe" /install /silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1728
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start DongleServerService3⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start DongleServerService4⤵PID:2700
-
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start ThreeShapeDentalManagerService3⤵PID:1344
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start ThreeShapeDentalManagerService4⤵PID:1036
-
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exeDongleServer.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Clipboard"3⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2004
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59fe8ce5663de64fd407968c6a9317c22
SHA11440c367d350f8ecb4ba8fb7b977c7eaf64c0eaa
SHA25667a4fee9fbe70b7e70378f146d6ccc4de8d3c83fa9b25d87e58593e9193ca099
SHA512c39c3a6399deb6fd2c369990d55dceca62c446c2702c8d4e4187da92af0cdd545d5b99f5c4d448cfcb5f07902f242e75d9a70008a8fccb81c842ea7c6ed3afe8
-
Filesize
1KB
MD503e755200772d78f08a5a15b66cfa1b6
SHA142e903a8ad88437765bc9de32444a108fab765c2
SHA256ff6b53313e59b2b77abd2e2ee5fe590f5cbeecf8785bee279a4f312f3bf48783
SHA512f7863f1dfccb6d7c2b5d57965702d5614a961df2770a0f5eb41a54ad274e879d59bec0f7fc0f8e7a2d00138c9b77c1a1a9d091574021b1256559fc592fe5d325
-
Filesize
95KB
MD537850c457c42e8b48b4b4dd8255fcbac
SHA139e9ab478096b3186ba99930952339e648a37247
SHA256c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA51245e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8
-
Filesize
494KB
MD56768851cdf2634e6250541633f8fb504
SHA15e9185cbed205146ef990e911a7ac523c9dadf70
SHA256ccacbf2473b8b9cd99d7200326801109174b17a6136bd88e9614d7804a733cb4
SHA5129783754c8352380c8b9b7d98f32b33f6391924592a9ac222197b2a62b9bb3d9359bc8adcbed5ee1a53bf6ea5fd5abe9f7643aee70e11e4b0452cabce14213816
-
Filesize
1KB
MD52ac87908fdaf9b1ffe06badad5b67335
SHA1bfbf990a179240768d952280e6d19e2f68f31b5a
SHA256d56ceb41d17295f15ff80c5588a2f7207f86f9ba0900bdcabd5a7dafc0b0ec8d
SHA51254bf2f6a88b0b7b2d5d510bfbabf4e623d015c54635b2a4bfcd76c9daa174f851e014e848c90a580a497384c9a9411e5e09dd3adf85cbad69bba602fbf9b21df
-
Filesize
1KB
MD5d7ef4a8467722aa0284c764d0386538a
SHA1d02c8e9ca737a7b128164aa2f64821387af0c2a3
SHA256733b0bd3e39fe27feebbc4c4edea77269df66a9de99af8f3ad8e377c406e2f6d
SHA512c235a09eba650d8b992013ec960c371149a351443732032aecd38e07567b2bfa6074fff6803460436d6574b8bedd8201443c9cc739fdf63e69ccde2bc6cf2d46
-
Filesize
1KB
MD50f780d42c407fdf9ef88ee69ad2a2923
SHA1a7d15a33e9dee1131e2db8a4dc13b1f4c742edda
SHA256d3cca68438eeb76d7b5c93bf1ca7a1604ca02c4019f2c4224a7641cbc283f7bb
SHA512a3ca2b8cb7f24486b32f8c48f706da54eb25c88319eaa6d056249a1d30b8b99fe3da5cc8fbb330da4b44c3b7e35f0907db5e81a98c6babbb9d4715ece423b6fc
-
Filesize
1KB
MD517bf8e6e05369d8306d5b7bc1a829048
SHA179444ed4c1b75e6b44136abb96a3095e1dabdafb
SHA25669f9429d3f5a010ea0a66337cc3a7590e2bb2fbd76876c053854583f80624e2a
SHA512b57f0ed5409fabd3a8994786d9a3e9aca96d0e6e9d789cbb83c23dd45921e1eec323aa0ab1de2fda1ab6056cb8f0daee85392f6460c7295a39c0e09dc75a3e7b
-
Filesize
1KB
MD5b091c149fc55b63d66cbbab99de97374
SHA172a61fd3c1dc8990edfb41f3f39e89181b839ce0
SHA256e4342ca68acb31aa28076c5a3fe136256219f5b6a19388a331c03e8e62a71ea0
SHA5125d1c818fbaa6ae9e49c24b7392516ddd8844f5b9af9512a1773634a96189c8be1dc4c0035618e5e0c3090a0b97a897ea86ee2dff8225e841e09f7a3e29ae69b6
-
Filesize
1KB
MD5aced96ff0594205a2b228e87f801b8b5
SHA196f1623957280ae28eeaa533e8a18d9fcc30cb1a
SHA25633aa506d30c32888473bfae0860a563a741f8aecbf4e8a88a69ae82070f1c46c
SHA512490d4fdd17539548b39a130d72e14ee7f3eb17b0d017fea8f9e8dc27582afc3ae755d1c16097cc5442bdef20e8aa25e16439d744980ed76dbbf2aa15ab7d0055
-
Filesize
986B
MD5d09e94832818df2ed0a6edcc5c95ceb2
SHA1d9aea5cfa1047e78cb0bf2e312fdd3b88efd54ba
SHA256995dae0908c311c5f240cb97c3bfdd6fe5c4a43703e931b110636a2cb19e39ea
SHA5120ca521aef2872edb1faf8b35ed7f1c7120b1728cb7897f44e5b98a4f7c6d3f618a7421936aa28df3a81af04fbc9b726e025ea4e6d6f4dc49f299dc9ebeacb850
-
Filesize
581B
MD5c9cf83c3e2068cb8d3d6a75096ed4f0c
SHA1647bc9eddc3e863807ccea1bbd9fd7e0f270b7c8
SHA256073651fc93394e138b41330db4172fb02e08867a1cb661960e1d7d873791bfd6
SHA5120c1c13306dc7dbb93ff524bfb00b1330bd70b65043ab56a6d5fd6d1639dc6f6472fa4086e1596839556f16af9b7bc51168bf0f4b84f90113498f9323ed81a2ec
-
Filesize
2.7MB
MD58077181a3608728119ce333981d2d917
SHA180eeff801080c2908ac15b22757e71d202bd55f5
SHA256a3d5eb9491d0ac5ba7bb7bb3f44d4d2f459cfbd1ba4007cebd03d18fae0cf3ef
SHA5120ae002c58ec3d007fb54300449d528c747e2a918338f425b8a35482ed853de1992f10d1603ef66c0e505e89082f6c66944d7b8e6edd8de61301ef4c164f07985
-
Filesize
5.2MB
MD5d09d6fc69cbd0b669fac024105eb576b
SHA1506f5d9821c64e0e8bb692098cac2b4d70e02584
SHA25641b11ac538f3f74f99975a3a2aedacbd054a926a0f9f30737a3d5009450ef7c5
SHA51213b6eef492907c5711b8fb8d79c83e9a40899907c03420470f7c7f7044b8410504f559b8c5528f7d3bb51344a08954c01bd8203fc3a91c5c74463edd855635ad