Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe
Resource
win10v2004-20240508-en
General
-
Target
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe
-
Size
5.1MB
-
MD5
42eb620e3bd578f6a854f3fd9707d66a
-
SHA1
e328d5fab3840415fdd02ae7f3d12181f94568f2
-
SHA256
dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d
-
SHA512
b35e80a54a828d7e80f6702f61f8f5c1acc5bfdba37358e2bd077da5a8567619f49f65460ecde865970694982d76fa2dd9d97e25fe8bbd3bc3dddc0d85e446a2
-
SSDEEP
98304:1zQuOP7cqK3k+BfwhIJkJFnvLcbRSIGEWJB0jX6ENkSH32nm:WuSchRdJkJlvaFFWTQ6EC6am
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe -
Executes dropped EXE 12 IoCs
pid Process 3612 DongleServer.exe 3836 DongleServer.exe 1592 DongleServer.exe 2296 DongleServer.exe 4288 DongleServer.exe 448 DongleServer.exe 2100 DongleServer.exe 4516 DongleServer.exe 2444 DongleServer.exe 3240 DongleServer.exe 1924 DongleServer.exe 5116 DongleServer.exe -
Loads dropped DLL 37 IoCs
pid Process 3612 DongleServer.exe 3612 DongleServer.exe 3836 DongleServer.exe 3836 DongleServer.exe 3836 DongleServer.exe 3836 DongleServer.exe 1592 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 3240 DongleServer.exe 3240 DongleServer.exe 3240 DongleServer.exe 1924 DongleServer.exe 1924 DongleServer.exe 1924 DongleServer.exe 5116 DongleServer.exe 5116 DongleServer.exe 5116 DongleServer.exe -
resource yara_rule behavioral2/files/0x0007000000023429-24.dat vmprotect behavioral2/memory/3612-33-0x00000000748C0000-0x0000000074E8C000-memory.dmp vmprotect behavioral2/memory/3836-54-0x00000000747D0000-0x0000000074D9C000-memory.dmp vmprotect behavioral2/memory/1592-77-0x00000000747D0000-0x0000000074D9C000-memory.dmp vmprotect behavioral2/memory/2296-122-0x00000000749A0000-0x0000000074F6C000-memory.dmp vmprotect behavioral2/memory/4288-144-0x0000000074DF0000-0x00000000753BC000-memory.dmp vmprotect -
Power Settings 1 TTPs 14 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3472 powercfg.exe 728 powercfg.exe 4048 powercfg.exe 3124 powercfg.exe 4284 powercfg.exe 720 powercfg.exe 3860 powercfg.exe 1084 powercfg.exe 2376 powercfg.exe 2808 powercfg.exe 3448 powercfg.exe 4520 powercfg.exe 4440 powercfg.exe 3168 powercfg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 3612 DongleServer.exe 3836 DongleServer.exe 1592 DongleServer.exe 2296 DongleServer.exe 4288 DongleServer.exe 448 DongleServer.exe 2100 DongleServer.exe 4516 DongleServer.exe 2444 DongleServer.exe 3240 DongleServer.exe 1924 DongleServer.exe 5116 DongleServer.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\hwid.txt cmd.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\__tmp_rar_sfx_access_check_240609781 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File created C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log DongleServer.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4080 sc.exe 4636 sc.exe 740 sc.exe 4260 sc.exe -
pid Process 2872 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 4 IoCs
pid Process 2920 taskkill.exe 5008 taskkill.exe 1204 taskkill.exe 5076 taskkill.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" DongleServer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" DongleServer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3612 DongleServer.exe 3612 DongleServer.exe 3612 DongleServer.exe 3612 DongleServer.exe 3612 DongleServer.exe 3612 DongleServer.exe 3612 DongleServer.exe 3612 DongleServer.exe 3836 DongleServer.exe 3836 DongleServer.exe 3836 DongleServer.exe 3836 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 1592 DongleServer.exe 2872 powershell.exe 2872 powershell.exe 3836 DongleServer.exe 3836 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 2296 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 4288 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 448 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 2100 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 4516 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 2444 DongleServer.exe 3240 DongleServer.exe 3240 DongleServer.exe 3240 DongleServer.exe 3240 DongleServer.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 5008 taskkill.exe Token: SeDebugPrivilege 1204 taskkill.exe Token: SeDebugPrivilege 5076 taskkill.exe Token: SeShutdownPrivilege 2376 powercfg.exe Token: SeCreatePagefilePrivilege 2376 powercfg.exe Token: SeShutdownPrivilege 4520 powercfg.exe Token: SeCreatePagefilePrivilege 4520 powercfg.exe Token: SeShutdownPrivilege 2808 powercfg.exe Token: SeCreatePagefilePrivilege 2808 powercfg.exe Token: SeShutdownPrivilege 3124 powercfg.exe Token: SeCreatePagefilePrivilege 3124 powercfg.exe Token: SeShutdownPrivilege 4284 powercfg.exe Token: SeCreatePagefilePrivilege 4284 powercfg.exe Token: SeShutdownPrivilege 4440 powercfg.exe Token: SeCreatePagefilePrivilege 4440 powercfg.exe Token: SeShutdownPrivilege 3472 powercfg.exe Token: SeCreatePagefilePrivilege 3472 powercfg.exe Token: SeShutdownPrivilege 3448 powercfg.exe Token: SeCreatePagefilePrivilege 3448 powercfg.exe Token: SeShutdownPrivilege 728 powercfg.exe Token: SeCreatePagefilePrivilege 728 powercfg.exe Token: SeShutdownPrivilege 720 powercfg.exe Token: SeCreatePagefilePrivilege 720 powercfg.exe Token: SeShutdownPrivilege 3168 powercfg.exe Token: SeCreatePagefilePrivilege 3168 powercfg.exe Token: SeShutdownPrivilege 4048 powercfg.exe Token: SeCreatePagefilePrivilege 4048 powercfg.exe Token: SeShutdownPrivilege 3860 powercfg.exe Token: SeCreatePagefilePrivilege 3860 powercfg.exe Token: SeShutdownPrivilege 1084 powercfg.exe Token: SeCreatePagefilePrivilege 1084 powercfg.exe Token: SeDebugPrivilege 2872 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2920 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 81 PID 2468 wrote to memory of 2920 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 81 PID 2468 wrote to memory of 2920 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 81 PID 2468 wrote to memory of 5008 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 84 PID 2468 wrote to memory of 5008 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 84 PID 2468 wrote to memory of 5008 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 84 PID 2468 wrote to memory of 836 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 86 PID 2468 wrote to memory of 836 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 86 PID 2468 wrote to memory of 836 2468 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe 86 PID 836 wrote to memory of 1204 836 cmd.exe 89 PID 836 wrote to memory of 1204 836 cmd.exe 89 PID 836 wrote to memory of 1204 836 cmd.exe 89 PID 836 wrote to memory of 5076 836 cmd.exe 90 PID 836 wrote to memory of 5076 836 cmd.exe 90 PID 836 wrote to memory of 5076 836 cmd.exe 90 PID 836 wrote to memory of 4080 836 cmd.exe 91 PID 836 wrote to memory of 4080 836 cmd.exe 91 PID 836 wrote to memory of 4080 836 cmd.exe 91 PID 836 wrote to memory of 4636 836 cmd.exe 92 PID 836 wrote to memory of 4636 836 cmd.exe 92 PID 836 wrote to memory of 4636 836 cmd.exe 92 PID 836 wrote to memory of 740 836 cmd.exe 93 PID 836 wrote to memory of 740 836 cmd.exe 93 PID 836 wrote to memory of 740 836 cmd.exe 93 PID 836 wrote to memory of 4260 836 cmd.exe 94 PID 836 wrote to memory of 4260 836 cmd.exe 94 PID 836 wrote to memory of 4260 836 cmd.exe 94 PID 836 wrote to memory of 3612 836 cmd.exe 95 PID 836 wrote to memory of 3612 836 cmd.exe 95 PID 836 wrote to memory of 3612 836 cmd.exe 95 PID 836 wrote to memory of 4400 836 cmd.exe 98 PID 836 wrote to memory of 4400 836 cmd.exe 98 PID 836 wrote to memory of 4400 836 cmd.exe 98 PID 4400 wrote to memory of 4864 4400 net.exe 99 PID 4400 wrote to memory of 4864 4400 net.exe 99 PID 4400 wrote to memory of 4864 4400 net.exe 99 PID 3836 wrote to memory of 2376 3836 DongleServer.exe 102 PID 3836 wrote to memory of 2376 3836 DongleServer.exe 102 PID 3836 wrote to memory of 2376 3836 DongleServer.exe 102 PID 3836 wrote to memory of 4520 3836 DongleServer.exe 104 PID 3836 wrote to memory of 4520 3836 DongleServer.exe 104 PID 3836 wrote to memory of 4520 3836 DongleServer.exe 104 PID 3836 wrote to memory of 2808 3836 DongleServer.exe 106 PID 3836 wrote to memory of 2808 3836 DongleServer.exe 106 PID 3836 wrote to memory of 2808 3836 DongleServer.exe 106 PID 3836 wrote to memory of 3124 3836 DongleServer.exe 108 PID 3836 wrote to memory of 3124 3836 DongleServer.exe 108 PID 3836 wrote to memory of 3124 3836 DongleServer.exe 108 PID 3836 wrote to memory of 4284 3836 DongleServer.exe 110 PID 3836 wrote to memory of 4284 3836 DongleServer.exe 110 PID 3836 wrote to memory of 4284 3836 DongleServer.exe 110 PID 3836 wrote to memory of 4440 3836 DongleServer.exe 112 PID 3836 wrote to memory of 4440 3836 DongleServer.exe 112 PID 3836 wrote to memory of 4440 3836 DongleServer.exe 112 PID 3836 wrote to memory of 3472 3836 DongleServer.exe 114 PID 3836 wrote to memory of 3472 3836 DongleServer.exe 114 PID 3836 wrote to memory of 3472 3836 DongleServer.exe 114 PID 3836 wrote to memory of 3448 3836 DongleServer.exe 116 PID 3836 wrote to memory of 3448 3836 DongleServer.exe 116 PID 3836 wrote to memory of 3448 3836 DongleServer.exe 116 PID 3836 wrote to memory of 728 3836 DongleServer.exe 118 PID 3836 wrote to memory of 728 3836 DongleServer.exe 118 PID 3836 wrote to memory of 728 3836 DongleServer.exe 118 PID 3836 wrote to memory of 720 3836 DongleServer.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /t /im "DongleServer.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /t /im "DentalDesktopServer.NTService.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat" "2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\taskkill.exeC:\Windows\System32\taskkill /f /t /im "DongleServer.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\SysWOW64\taskkill.exeC:\Windows\System32\taskkill /f /t /im "DentalDesktopServer.NTService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DentalUpdater start=auto3⤵
- Launches sc.exe
PID:4080
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config ThreeShapeDentalManagerService start=auto3⤵
- Launches sc.exe
PID:4636
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DongleServerService start=auto3⤵
- Launches sc.exe
PID:740
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\System32\sc config DentalDesktopServer start=auto3⤵
- Launches sc.exe
PID:4260
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe" /install /silent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3612
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start DongleServerService3⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start DongleServerService4⤵PID:4864
-
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\System32\net start ThreeShapeDentalManagerService3⤵PID:4620
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start ThreeShapeDentalManagerService4⤵PID:3456
-
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exeDongleServer.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-Clipboard"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setacvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\system32\powercfg.exe" -setdcvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:448
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3240
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:1924
-
C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59fe8ce5663de64fd407968c6a9317c22
SHA11440c367d350f8ecb4ba8fb7b977c7eaf64c0eaa
SHA25667a4fee9fbe70b7e70378f146d6ccc4de8d3c83fa9b25d87e58593e9193ca099
SHA512c39c3a6399deb6fd2c369990d55dceca62c446c2702c8d4e4187da92af0cdd545d5b99f5c4d448cfcb5f07902f242e75d9a70008a8fccb81c842ea7c6ed3afe8
-
Filesize
1KB
MD503e755200772d78f08a5a15b66cfa1b6
SHA142e903a8ad88437765bc9de32444a108fab765c2
SHA256ff6b53313e59b2b77abd2e2ee5fe590f5cbeecf8785bee279a4f312f3bf48783
SHA512f7863f1dfccb6d7c2b5d57965702d5614a961df2770a0f5eb41a54ad274e879d59bec0f7fc0f8e7a2d00138c9b77c1a1a9d091574021b1256559fc592fe5d325
-
Filesize
95KB
MD537850c457c42e8b48b4b4dd8255fcbac
SHA139e9ab478096b3186ba99930952339e648a37247
SHA256c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA51245e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8
-
Filesize
494KB
MD56768851cdf2634e6250541633f8fb504
SHA15e9185cbed205146ef990e911a7ac523c9dadf70
SHA256ccacbf2473b8b9cd99d7200326801109174b17a6136bd88e9614d7804a733cb4
SHA5129783754c8352380c8b9b7d98f32b33f6391924592a9ac222197b2a62b9bb3d9359bc8adcbed5ee1a53bf6ea5fd5abe9f7643aee70e11e4b0452cabce14213816
-
Filesize
5.2MB
MD5d09d6fc69cbd0b669fac024105eb576b
SHA1506f5d9821c64e0e8bb692098cac2b4d70e02584
SHA25641b11ac538f3f74f99975a3a2aedacbd054a926a0f9f30737a3d5009450ef7c5
SHA51213b6eef492907c5711b8fb8d79c83e9a40899907c03420470f7c7f7044b8410504f559b8c5528f7d3bb51344a08954c01bd8203fc3a91c5c74463edd855635ad
-
Filesize
1KB
MD56728587152f5460cb756ff24c0e0685e
SHA11f94baadeeb44cedfb1b6b2fccc4ba6acdc0ac66
SHA2566a74dc0f08ec92d8bb0ab3f7aab8c6d1f8db0cda96a98f38c29128122f189b03
SHA512d6cd02fff82a838d56b8fc511b2b6348ef4fcf65b7982c4804395705743cae1ce3fa8456a690775620768c19ab4449915beff13b0a515aa0ad893ae830707aae
-
Filesize
1KB
MD5c95be990fc3fd7823e4c1cc82a780709
SHA10aaeef44e41a7eca409a3b9b0acda8fa01c81fa8
SHA2561e749f94002fde94bcb00d77ff420a8fc2876c09e8929514ab3fade89147cc85
SHA51207c6bc1f6287383c226859cc7f2c761c13892621f002ccf872552f3e006ffb305ebb6cff6b525f20e2b38e45010991289643bb9b6a8862277fb8e203d9b629db
-
Filesize
1KB
MD508423c733f1d2d24dd828c49a21d7297
SHA104e6c8ff2f29ab387fb6c5772386bb2bfad764bd
SHA256d0a54960fcdcb1d883fc3fc268076605ff2fe170b2eb00d533a65409cf87fe82
SHA512d8c79098508d8925f601226443d0f05196d5ebee8240ff89385a8693dee8087704c9a25a7d4580860282b6a84ab0955766bed21e65b2c5936ecb50801acabdfd
-
Filesize
1KB
MD5d023947116a0b60fd06e196c8590cd53
SHA180a6a1db69e8197ee3c845141c0e446851ee3fc2
SHA25654e06d6bae2629abd3e3fd4328735773bbf87156d8e21a2884605286b13e4c91
SHA5125587b28db36f49f4865be7319878074d5699aa92dbc64332c6b968fe49e4b2a5168c5edd820e92fb8c742017a3bf8c7efd2882f48869ece33c64e04c0d02d2ba
-
Filesize
2KB
MD5d083b1a230ae8bc8a4433e93f6869ad5
SHA1b149fc1da13ee4a668a48b0e22a6162834f4da75
SHA256849b67d4b50a0e3f2b179bd82c81be7b437c1b10e459c2fa124d6699d75aaf52
SHA512b55b5c3f252d9b4f6de85bd04aad33962696bda2e088ad89ed1eb07d8127b161ef9666ce0d583ed098a88ca2707bcdc2429b71d45b09be451e2fbb725b8a8402
-
Filesize
2KB
MD5cfeed49600e989f68b60081ed6e9ca19
SHA1db8e28b0bb4d09343cce23edbaf2c65a236616c8
SHA256b0ffbab5484e599c07b04b9968b8b4477b43aa503733b7b6f15e4f9e2c32f0d5
SHA51258a9688bf757c51cefd0add60248eb8f7e417aebcd495d7ae3c58399ca757b509377c900b4b9e735681ed586453abb00b9a8d6d69c312f25471e3733990661c5
-
Filesize
2KB
MD5eec0da1ea48806b124a83e0fe3be9587
SHA1101f8f9a094bc1f2f6a6f63cc65adade01dcdc4c
SHA256c3022ef9be75948cf9318d0565ba0df19aa51859c00f2af07999769386ea9de6
SHA51266d16cfcfec5d31000ccd1dfe5b8bee3a0f243707f3bb65722f3a5613d7c5a36311c52c215c73e75677cc0ea8fb2fde4a5d2cbe802cd0d519422be9739bd902b
-
Filesize
2KB
MD5bd95fcef84da830210b55003ae94d82c
SHA1c361e6e42fe84b55978513817db73f8920562e0d
SHA25633d253527057dd2606079c9d1157a28d31353ff1d23241768a83ff30010ba1b7
SHA5129d12a3e8ee57255428b3b4ce84d5719fb5b85d9c1438a21a159cb94b4f41a6e1345eefa129e886417f69947427d2a32bca3f62abccabee7fe1f469f47b4ea8f8
-
Filesize
986B
MD5e4492552f06f0507f15fd1eb04704465
SHA1b9b0fe3d8ccf930fbbf6644412ac3fcc85c8d9bb
SHA25695176fbd810bd5a4e01ef8d506fa2d06527243081a117cbbe949a03b0d1b147f
SHA5122c360ba65266614fdf1c98863f286ad68f94f54f45cf11d0e98d51ead12d5ae7c6ae5b1db31fb2f6aae80b3c63a821168d441c1812f22cb89d66bd5eb6887c8d
-
Filesize
1KB
MD54ea22eb5206840ce7d749d5b20126629
SHA18b466cc84082dfec253135479e86a91843e31375
SHA256605dfab75b888abdab65f69b99a0a16bd59cc40f3ed717b2b9ed9614fff7815c
SHA51236bae3634e44ffecdf90f92d5aa6813443027e9145b02a95c46ef167c85550d6e9320f73ddcd137592849037142ad2104462bfdee67e75042b7742f1fac30a44
-
Filesize
1KB
MD5aa6bae96070062c75668f6242eae0b48
SHA1c5dfe7f2af11685af9223b83c969c6ae497e478d
SHA256b94dde33b03c4df988db97bca13c66183d7541cdce9e5bcff3b33f4b27f89582
SHA512f18096a964076df6d82919ff82ff961a0de75707a2ee6006ebd34d19c4d6487908fb1dd30060dfacd923f09841fd21cd4672b83efd2d7f58d1ce48d5114ab2e5
-
Filesize
581B
MD5c9cf83c3e2068cb8d3d6a75096ed4f0c
SHA1647bc9eddc3e863807ccea1bbd9fd7e0f270b7c8
SHA256073651fc93394e138b41330db4172fb02e08867a1cb661960e1d7d873791bfd6
SHA5120c1c13306dc7dbb93ff524bfb00b1330bd70b65043ab56a6d5fd6d1639dc6f6472fa4086e1596839556f16af9b7bc51168bf0f4b84f90113498f9323ed81a2ec
-
Filesize
2.7MB
MD58077181a3608728119ce333981d2d917
SHA180eeff801080c2908ac15b22757e71d202bd55f5
SHA256a3d5eb9491d0ac5ba7bb7bb3f44d4d2f459cfbd1ba4007cebd03d18fae0cf3ef
SHA5120ae002c58ec3d007fb54300449d528c747e2a918338f425b8a35482ed853de1992f10d1603ef66c0e505e89082f6c66944d7b8e6edd8de61301ef4c164f07985
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82