Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-knbqdayenp
Target dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d
SHA256 dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d
Tags
execution persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d

Threat Level: Shows suspicious behavior

The file dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution persistence vmprotect

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

VMProtect packed file

Power Settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Kills process with taskkill

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:44

Reported

2024-06-26 08:46

Platform

win7-20240220-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\hwid.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\__tmp_rar_sfx_access_check_259396450 C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2796 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2796 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 2796 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 2796 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 2796 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 2796 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2796 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2796 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2796 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2284 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2732 wrote to memory of 552 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 552 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 552 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 552 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1480 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1480 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1480 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1480 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 2276 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 2276 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 2276 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 2276 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 2732 wrote to memory of 1808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe

"C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /t /im "DongleServer.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /t /im "DentalDesktopServer.NTService.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat" "

C:\Windows\SysWOW64\taskkill.exe

C:\Windows\System32\taskkill /f /t /im "DongleServer.exe"

C:\Windows\SysWOW64\taskkill.exe

C:\Windows\System32\taskkill /f /t /im "DentalDesktopServer.NTService.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config DentalUpdater start=auto

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config ThreeShapeDentalManagerService start=auto

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config DongleServerService start=auto

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config DentalDesktopServer start=auto

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe" /install /silent

C:\Windows\SysWOW64\net.exe

C:\Windows\System32\net start DongleServerService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start DongleServerService

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\net.exe

C:\Windows\System32\net start ThreeShapeDentalManagerService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start ThreeShapeDentalManagerService

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

DongleServer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-Clipboard"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

Network

N/A

Files

C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat

MD5 9fe8ce5663de64fd407968c6a9317c22
SHA1 1440c367d350f8ecb4ba8fb7b977c7eaf64c0eaa
SHA256 67a4fee9fbe70b7e70378f146d6ccc4de8d3c83fa9b25d87e58593e9193ca099
SHA512 c39c3a6399deb6fd2c369990d55dceca62c446c2702c8d4e4187da92af0cdd545d5b99f5c4d448cfcb5f07902f242e75d9a70008a8fccb81c842ea7c6ed3afe8

\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

MD5 d09d6fc69cbd0b669fac024105eb576b
SHA1 506f5d9821c64e0e8bb692098cac2b4d70e02584
SHA256 41b11ac538f3f74f99975a3a2aedacbd054a926a0f9f30737a3d5009450ef7c5
SHA512 13b6eef492907c5711b8fb8d79c83e9a40899907c03420470f7c7f7044b8410504f559b8c5528f7d3bb51344a08954c01bd8203fc3a91c5c74463edd855635ad

C:\Program Files (x86)\3Shape\Dongle Server Service\winspool.drv

MD5 8077181a3608728119ce333981d2d917
SHA1 80eeff801080c2908ac15b22757e71d202bd55f5
SHA256 a3d5eb9491d0ac5ba7bb7bb3f44d4d2f459cfbd1ba4007cebd03d18fae0cf3ef
SHA512 0ae002c58ec3d007fb54300449d528c747e2a918338f425b8a35482ed853de1992f10d1603ef66c0e505e89082f6c66944d7b8e6edd8de61301ef4c164f07985

memory/1728-44-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1728-42-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1728-40-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1728-39-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1728-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1728-35-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1728-47-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1728-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1728-52-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/1728-54-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/1728-57-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1728-59-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1728-62-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1728-64-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1728-67-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/1728-65-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/1728-69-0x00000000021B0000-0x00000000021B1000-memory.dmp

memory/1728-70-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/1728-72-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/1728-74-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/1728-75-0x0000000073EC0000-0x000000007448C000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml

MD5 03e755200772d78f08a5a15b66cfa1b6
SHA1 42e903a8ad88437765bc9de32444a108fab765c2
SHA256 ff6b53313e59b2b77abd2e2ee5fe590f5cbeecf8785bee279a4f312f3bf48783
SHA512 f7863f1dfccb6d7c2b5d57965702d5614a961df2770a0f5eb41a54ad274e879d59bec0f7fc0f8e7a2d00138c9b77c1a1a9d091574021b1256559fc592fe5d325

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 d09e94832818df2ed0a6edcc5c95ceb2
SHA1 d9aea5cfa1047e78cb0bf2e312fdd3b88efd54ba
SHA256 995dae0908c311c5f240cb97c3bfdd6fe5c4a43703e931b110636a2cb19e39ea
SHA512 0ca521aef2872edb1faf8b35ed7f1c7120b1728cb7897f44e5b98a4f7c6d3f618a7421936aa28df3a81af04fbc9b726e025ea4e6d6f4dc49f299dc9ebeacb850

memory/1728-79-0x0000000000400000-0x0000000000947000-memory.dmp

memory/1728-84-0x0000000000400000-0x0000000000947000-memory.dmp

memory/2732-91-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2732-94-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2732-96-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2732-99-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2732-101-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2732-104-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 2ac87908fdaf9b1ffe06badad5b67335
SHA1 bfbf990a179240768d952280e6d19e2f68f31b5a
SHA256 d56ceb41d17295f15ff80c5588a2f7207f86f9ba0900bdcabd5a7dafc0b0ec8d
SHA512 54bf2f6a88b0b7b2d5d510bfbabf4e623d015c54635b2a4bfcd76c9daa174f851e014e848c90a580a497384c9a9411e5e09dd3adf85cbad69bba602fbf9b21df

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml

MD5 c9cf83c3e2068cb8d3d6a75096ed4f0c
SHA1 647bc9eddc3e863807ccea1bbd9fd7e0f270b7c8
SHA256 073651fc93394e138b41330db4172fb02e08867a1cb661960e1d7d873791bfd6
SHA512 0c1c13306dc7dbb93ff524bfb00b1330bd70b65043ab56a6d5fd6d1639dc6f6472fa4086e1596839556f16af9b7bc51168bf0f4b84f90113498f9323ed81a2ec

C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll

MD5 6768851cdf2634e6250541633f8fb504
SHA1 5e9185cbed205146ef990e911a7ac523c9dadf70
SHA256 ccacbf2473b8b9cd99d7200326801109174b17a6136bd88e9614d7804a733cb4
SHA512 9783754c8352380c8b9b7d98f32b33f6391924592a9ac222197b2a62b9bb3d9359bc8adcbed5ee1a53bf6ea5fd5abe9f7643aee70e11e4b0452cabce14213816

C:\Program Files (x86)\3Shape\Dongle Server Service\DDCHANGE.DLL

MD5 37850c457c42e8b48b4b4dd8255fcbac
SHA1 39e9ab478096b3186ba99930952339e648a37247
SHA256 c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA512 45e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8

memory/2732-143-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2732-144-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2732-148-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2732-151-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 d7ef4a8467722aa0284c764d0386538a
SHA1 d02c8e9ca737a7b128164aa2f64821387af0c2a3
SHA256 733b0bd3e39fe27feebbc4c4edea77269df66a9de99af8f3ad8e377c406e2f6d
SHA512 c235a09eba650d8b992013ec960c371149a351443732032aecd38e07567b2bfa6074fff6803460436d6574b8bedd8201443c9cc739fdf63e69ccde2bc6cf2d46

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 0f780d42c407fdf9ef88ee69ad2a2923
SHA1 a7d15a33e9dee1131e2db8a4dc13b1f4c742edda
SHA256 d3cca68438eeb76d7b5c93bf1ca7a1604ca02c4019f2c4224a7641cbc283f7bb
SHA512 a3ca2b8cb7f24486b32f8c48f706da54eb25c88319eaa6d056249a1d30b8b99fe3da5cc8fbb330da4b44c3b7e35f0907db5e81a98c6babbb9d4715ece423b6fc

memory/1616-260-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1616-263-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1616-266-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 17bf8e6e05369d8306d5b7bc1a829048
SHA1 79444ed4c1b75e6b44136abb96a3095e1dabdafb
SHA256 69f9429d3f5a010ea0a66337cc3a7590e2bb2fbd76876c053854583f80624e2a
SHA512 b57f0ed5409fabd3a8994786d9a3e9aca96d0e6e9d789cbb83c23dd45921e1eec323aa0ab1de2fda1ab6056cb8f0daee85392f6460c7295a39c0e09dc75a3e7b

memory/2928-324-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2928-323-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2928-326-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2928-329-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 b091c149fc55b63d66cbbab99de97374
SHA1 72a61fd3c1dc8990edfb41f3f39e89181b839ce0
SHA256 e4342ca68acb31aa28076c5a3fe136256219f5b6a19388a331c03e8e62a71ea0
SHA512 5d1c818fbaa6ae9e49c24b7392516ddd8844f5b9af9512a1773634a96189c8be1dc4c0035618e5e0c3090a0b97a897ea86ee2dff8225e841e09f7a3e29ae69b6

memory/2060-386-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2060-387-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2060-389-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2060-392-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 aced96ff0594205a2b228e87f801b8b5
SHA1 96f1623957280ae28eeaa533e8a18d9fcc30cb1a
SHA256 33aa506d30c32888473bfae0860a563a741f8aecbf4e8a88a69ae82070f1c46c
SHA512 490d4fdd17539548b39a130d72e14ee7f3eb17b0d017fea8f9e8dc27582afc3ae755d1c16097cc5442bdef20e8aa25e16439d744980ed76dbbf2aa15ab7d0055

memory/1544-444-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1544-445-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1544-448-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2488-496-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2488-495-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2488-497-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2488-500-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2492-547-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2492-548-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2492-551-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2432-598-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2432-601-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2004-649-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2004-648-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2004-650-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2004-653-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2016-700-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2016-701-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2016-702-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2016-705-0x0000000010000000-0x00000000100B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:44

Reported

2024-06-26 08:47

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\ddchange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\hwid.txt C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\__tmp_rar_sfx_access_check_240609781 C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File created C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
File opened for modification C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A
N/A N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 2468 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 2468 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 2468 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 2468 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 2468 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\taskkill.exe
PID 2468 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe C:\Windows\SysWOW64\cmd.exe
PID 836 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 836 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 836 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 836 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 836 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 836 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 836 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 836 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 836 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 836 wrote to memory of 3612 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe
PID 836 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 836 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 836 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4400 wrote to memory of 4864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4400 wrote to memory of 4864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4400 wrote to memory of 4864 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3836 wrote to memory of 2376 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 2376 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 2376 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4520 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4520 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4520 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 2808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 2808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 2808 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3124 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3124 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3124 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4284 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4284 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4284 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4440 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4440 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 4440 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3472 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3472 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3472 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3448 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3448 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 3448 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 728 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 728 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 728 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe
PID 3836 wrote to memory of 720 N/A C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe C:\Windows\SysWOW64\powercfg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe

"C:\Users\Admin\AppData\Local\Temp\dd75273b1b2eaf807546691b24e4c703cb2963931fd5a7d4c7e77554271b542d.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /t /im "DongleServer.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /t /im "DentalDesktopServer.NTService.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat" "

C:\Windows\SysWOW64\taskkill.exe

C:\Windows\System32\taskkill /f /t /im "DongleServer.exe"

C:\Windows\SysWOW64\taskkill.exe

C:\Windows\System32\taskkill /f /t /im "DentalDesktopServer.NTService.exe"

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config DentalUpdater start=auto

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config ThreeShapeDentalManagerService start=auto

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config DongleServerService start=auto

C:\Windows\SysWOW64\sc.exe

C:\Windows\System32\sc config DentalDesktopServer start=auto

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe" /install /silent

C:\Windows\SysWOW64\net.exe

C:\Windows\System32\net start DongleServerService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start DongleServerService

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex 3af9B8d9-7c97-431d-ad78-34a8bfea439f 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex 961cc777-2547-4f9d-8174-7d86181b8a7a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex a1841308-3541-4fab-bc81-f71556f20b4a 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex ded574b5-45a0-4f42-8737-46345c09c238 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setacvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\system32\powercfg.exe" -setdcvalueindex e9a42b02-d5df-448d-aa00-03f14749eb61 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

C:\Windows\SysWOW64\net.exe

C:\Windows\System32\net start ThreeShapeDentalManagerService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start ThreeShapeDentalManagerService

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

DongleServer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Get-Clipboard"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

"C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Program Files (x86)\3Shape\Dongle Server Service\ClientLicense.bat

MD5 9fe8ce5663de64fd407968c6a9317c22
SHA1 1440c367d350f8ecb4ba8fb7b977c7eaf64c0eaa
SHA256 67a4fee9fbe70b7e70378f146d6ccc4de8d3c83fa9b25d87e58593e9193ca099
SHA512 c39c3a6399deb6fd2c369990d55dceca62c446c2702c8d4e4187da92af0cdd545d5b99f5c4d448cfcb5f07902f242e75d9a70008a8fccb81c842ea7c6ed3afe8

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe

MD5 d09d6fc69cbd0b669fac024105eb576b
SHA1 506f5d9821c64e0e8bb692098cac2b4d70e02584
SHA256 41b11ac538f3f74f99975a3a2aedacbd054a926a0f9f30737a3d5009450ef7c5
SHA512 13b6eef492907c5711b8fb8d79c83e9a40899907c03420470f7c7f7044b8410504f559b8c5528f7d3bb51344a08954c01bd8203fc3a91c5c74463edd855635ad

C:\Program Files (x86)\3Shape\Dongle Server Service\Winspool.drv

MD5 8077181a3608728119ce333981d2d917
SHA1 80eeff801080c2908ac15b22757e71d202bd55f5
SHA256 a3d5eb9491d0ac5ba7bb7bb3f44d4d2f459cfbd1ba4007cebd03d18fae0cf3ef
SHA512 0ae002c58ec3d007fb54300449d528c747e2a918338f425b8a35482ed853de1992f10d1603ef66c0e505e89082f6c66944d7b8e6edd8de61301ef4c164f07985

memory/3612-30-0x0000000002840000-0x0000000002841000-memory.dmp

memory/3612-29-0x0000000002830000-0x0000000002831000-memory.dmp

memory/3612-28-0x0000000002710000-0x0000000002711000-memory.dmp

memory/3612-27-0x0000000002700000-0x0000000002701000-memory.dmp

memory/3612-26-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/3612-25-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/3612-32-0x0000000002860000-0x0000000002861000-memory.dmp

memory/3612-31-0x0000000002850000-0x0000000002851000-memory.dmp

memory/3612-33-0x00000000748C0000-0x0000000074E8C000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\ClientNames.xml

MD5 03e755200772d78f08a5a15b66cfa1b6
SHA1 42e903a8ad88437765bc9de32444a108fab765c2
SHA256 ff6b53313e59b2b77abd2e2ee5fe590f5cbeecf8785bee279a4f312f3bf48783
SHA512 f7863f1dfccb6d7c2b5d57965702d5614a961df2770a0f5eb41a54ad274e879d59bec0f7fc0f8e7a2d00138c9b77c1a1a9d091574021b1256559fc592fe5d325

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 e4492552f06f0507f15fd1eb04704465
SHA1 b9b0fe3d8ccf930fbbf6644412ac3fcc85c8d9bb
SHA256 95176fbd810bd5a4e01ef8d506fa2d06527243081a117cbbe949a03b0d1b147f
SHA512 2c360ba65266614fdf1c98863f286ad68f94f54f45cf11d0e98d51ead12d5ae7c6ae5b1db31fb2f6aae80b3c63a821168d441c1812f22cb89d66bd5eb6887c8d

memory/3612-37-0x0000000000400000-0x0000000000947000-memory.dmp

memory/3612-42-0x0000000000400000-0x0000000000947000-memory.dmp

memory/3836-46-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/3836-47-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/3836-49-0x0000000001270000-0x0000000001271000-memory.dmp

memory/3836-48-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/3836-51-0x00000000012B0000-0x00000000012B1000-memory.dmp

memory/3836-50-0x00000000012A0000-0x00000000012A1000-memory.dmp

memory/3836-52-0x00000000012C0000-0x00000000012C1000-memory.dmp

memory/3836-53-0x00000000012D0000-0x00000000012D1000-memory.dmp

memory/3836-54-0x00000000747D0000-0x0000000074D9C000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 4ea22eb5206840ce7d749d5b20126629
SHA1 8b466cc84082dfec253135479e86a91843e31375
SHA256 605dfab75b888abdab65f69b99a0a16bd59cc40f3ed717b2b9ed9614fff7815c
SHA512 36bae3634e44ffecdf90f92d5aa6813443027e9145b02a95c46ef167c85550d6e9320f73ddcd137592849037142ad2104462bfdee67e75042b7742f1fac30a44

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServerConfig.xml

MD5 c9cf83c3e2068cb8d3d6a75096ed4f0c
SHA1 647bc9eddc3e863807ccea1bbd9fd7e0f270b7c8
SHA256 073651fc93394e138b41330db4172fb02e08867a1cb661960e1d7d873791bfd6
SHA512 0c1c13306dc7dbb93ff524bfb00b1330bd70b65043ab56a6d5fd6d1639dc6f6472fa4086e1596839556f16af9b7bc51168bf0f4b84f90113498f9323ed81a2ec

memory/3836-57-0x0000000000400000-0x0000000000947000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DinkeyChange.dll

MD5 6768851cdf2634e6250541633f8fb504
SHA1 5e9185cbed205146ef990e911a7ac523c9dadf70
SHA256 ccacbf2473b8b9cd99d7200326801109174b17a6136bd88e9614d7804a733cb4
SHA512 9783754c8352380c8b9b7d98f32b33f6391924592a9ac222197b2a62b9bb3d9359bc8adcbed5ee1a53bf6ea5fd5abe9f7643aee70e11e4b0452cabce14213816

C:\Program Files (x86)\3Shape\Dongle Server Service\DDCHANGE.DLL

MD5 37850c457c42e8b48b4b4dd8255fcbac
SHA1 39e9ab478096b3186ba99930952339e648a37247
SHA256 c4d39ff5b0ce78a885c2247806e72ab21fb3f8f2e2877eb44ffa558deeded224
SHA512 45e67e00825ce3d7105f4b0c76526a432188d5e8e0e5703eba1d54b8dc05265342703cedc05ca39dadc4b9515faa5de31efc7c09e81ad6be2873d2b478b1b9d8

memory/3836-66-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/1592-69-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/1592-70-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1592-72-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/1592-71-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/1592-74-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1592-73-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1592-75-0x0000000002600000-0x0000000002601000-memory.dmp

memory/1592-76-0x0000000002610000-0x0000000002611000-memory.dmp

memory/1592-77-0x00000000747D0000-0x0000000074D9C000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 aa6bae96070062c75668f6242eae0b48
SHA1 c5dfe7f2af11685af9223b83c969c6ae497e478d
SHA256 b94dde33b03c4df988db97bca13c66183d7541cdce9e5bcff3b33f4b27f89582
SHA512 f18096a964076df6d82919ff82ff961a0de75707a2ee6006ebd34d19c4d6487908fb1dd30060dfacd923f09841fd21cd4672b83efd2d7f58d1ce48d5114ab2e5

memory/1592-80-0x0000000000400000-0x0000000000947000-memory.dmp

memory/1592-84-0x0000000000400000-0x0000000000947000-memory.dmp

memory/2872-85-0x0000000002B90000-0x0000000002BC6000-memory.dmp

memory/2872-86-0x0000000005350000-0x0000000005978000-memory.dmp

memory/2872-87-0x00000000051B0000-0x00000000051D2000-memory.dmp

memory/2872-88-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/2872-89-0x0000000005AF0000-0x0000000005B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ft31fuke.sew.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2872-99-0x0000000005B60000-0x0000000005EB4000-memory.dmp

memory/2872-100-0x0000000006140000-0x000000000615E000-memory.dmp

memory/2872-101-0x0000000006340000-0x000000000638C000-memory.dmp

memory/2872-102-0x0000000007120000-0x00000000071B6000-memory.dmp

memory/2872-103-0x0000000006620000-0x000000000663A000-memory.dmp

memory/2872-104-0x0000000006680000-0x00000000066A2000-memory.dmp

memory/2872-105-0x0000000007770000-0x0000000007D14000-memory.dmp

memory/2872-106-0x0000000007280000-0x0000000007312000-memory.dmp

memory/3836-107-0x0000000000400000-0x0000000000947000-memory.dmp

memory/3836-108-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2296-114-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2296-119-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/2296-118-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/2296-117-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2296-116-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/2296-122-0x00000000749A0000-0x0000000074F6C000-memory.dmp

memory/2296-121-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/2296-120-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/2296-115-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 6728587152f5460cb756ff24c0e0685e
SHA1 1f94baadeeb44cedfb1b6b2fccc4ba6acdc0ac66
SHA256 6a74dc0f08ec92d8bb0ab3f7aab8c6d1f8db0cda96a98f38c29128122f189b03
SHA512 d6cd02fff82a838d56b8fc511b2b6348ef4fcf65b7982c4804395705743cae1ce3fa8456a690775620768c19ab4449915beff13b0a515aa0ad893ae830707aae

memory/2296-125-0x0000000000400000-0x0000000000947000-memory.dmp

memory/2296-131-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2296-133-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2296-132-0x0000000000400000-0x0000000000947000-memory.dmp

memory/4288-136-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/4288-141-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/4288-140-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/4288-143-0x00000000013F0000-0x00000000013F1000-memory.dmp

memory/4288-144-0x0000000074DF0000-0x00000000753BC000-memory.dmp

memory/4288-142-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/4288-139-0x0000000001380000-0x0000000001381000-memory.dmp

memory/4288-138-0x0000000001370000-0x0000000001371000-memory.dmp

memory/4288-137-0x0000000001360000-0x0000000001361000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 c95be990fc3fd7823e4c1cc82a780709
SHA1 0aaeef44e41a7eca409a3b9b0acda8fa01c81fa8
SHA256 1e749f94002fde94bcb00d77ff420a8fc2876c09e8929514ab3fade89147cc85
SHA512 07c6bc1f6287383c226859cc7f2c761c13892621f002ccf872552f3e006ffb305ebb6cff6b525f20e2b38e45010991289643bb9b6a8862277fb8e203d9b629db

memory/4288-153-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/4288-156-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 08423c733f1d2d24dd828c49a21d7297
SHA1 04e6c8ff2f29ab387fb6c5772386bb2bfad764bd
SHA256 d0a54960fcdcb1d883fc3fc268076605ff2fe170b2eb00d533a65409cf87fe82
SHA512 d8c79098508d8925f601226443d0f05196d5ebee8240ff89385a8693dee8087704c9a25a7d4580860282b6a84ab0955766bed21e65b2c5936ecb50801acabdfd

memory/448-179-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 d023947116a0b60fd06e196c8590cd53
SHA1 80a6a1db69e8197ee3c845141c0e446851ee3fc2
SHA256 54e06d6bae2629abd3e3fd4328735773bbf87156d8e21a2884605286b13e4c91
SHA512 5587b28db36f49f4865be7319878074d5699aa92dbc64332c6b968fe49e4b2a5168c5edd820e92fb8c742017a3bf8c7efd2882f48869ece33c64e04c0d02d2ba

memory/2100-202-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 d083b1a230ae8bc8a4433e93f6869ad5
SHA1 b149fc1da13ee4a668a48b0e22a6162834f4da75
SHA256 849b67d4b50a0e3f2b179bd82c81be7b437c1b10e459c2fa124d6699d75aaf52
SHA512 b55b5c3f252d9b4f6de85bd04aad33962696bda2e088ad89ed1eb07d8127b161ef9666ce0d583ed098a88ca2707bcdc2429b71d45b09be451e2fbb725b8a8402

memory/4516-222-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/4516-225-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 cfeed49600e989f68b60081ed6e9ca19
SHA1 db8e28b0bb4d09343cce23edbaf2c65a236616c8
SHA256 b0ffbab5484e599c07b04b9968b8b4477b43aa503733b7b6f15e4f9e2c32f0d5
SHA512 58a9688bf757c51cefd0add60248eb8f7e417aebcd495d7ae3c58399ca757b509377c900b4b9e735681ed586453abb00b9a8d6d69c312f25471e3733990661c5

memory/2444-246-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/2444-249-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 eec0da1ea48806b124a83e0fe3be9587
SHA1 101f8f9a094bc1f2f6a6f63cc65adade01dcdc4c
SHA256 c3022ef9be75948cf9318d0565ba0df19aa51859c00f2af07999769386ea9de6
SHA512 66d16cfcfec5d31000ccd1dfe5b8bee3a0f243707f3bb65722f3a5613d7c5a36311c52c215c73e75677cc0ea8fb2fde4a5d2cbe802cd0d519422be9739bd902b

memory/3240-271-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Program Files (x86)\3Shape\Dongle Server Service\DongleServer.exe.log

MD5 bd95fcef84da830210b55003ae94d82c
SHA1 c361e6e42fe84b55978513817db73f8920562e0d
SHA256 33d253527057dd2606079c9d1157a28d31353ff1d23241768a83ff30010ba1b7
SHA512 9d12a3e8ee57255428b3b4ce84d5719fb5b85d9c1438a21a159cb94b4f41a6e1345eefa129e886417f69947427d2a32bca3f62abccabee7fe1f469f47b4ea8f8

memory/1924-293-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/5116-309-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/5116-312-0x0000000010000000-0x00000000100B3000-memory.dmp