779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Size

6.7MB
MD5

51e40d7ff9be9fece988a37ab684c155
SHA1

d02d8d7b79bb98d4dff5c6e5feb58955f637fda4
SHA256

779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444
SHA512

598676391cb0e55b74182d3a77332d0acc2201727a46e6182a0487bd4e0b9a6b67a184deb87c155d32c0d56e2671471f02104baa24f22bb5ad6d2b4c15f5aecb
SSDEEP

196608:463+qS8Hy2Zx/2YgHh4aBE1jVdGXctRdXW:4qkWFZ927NE1jLGiR

Score

8^/10

evasion execution persistence upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1816 netsh.exe
2824 netsh.exe
2364 netsh.exe
3012 netsh.exe
556 netsh.exe
3056 netsh.exe
808 netsh.exe

pid	process
1816	netsh.exe
2824	netsh.exe
2364	netsh.exe
3012	netsh.exe
556	netsh.exe
3056	netsh.exe
808	netsh.exe

Sets file execution options in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe\Debugger = "Blocked"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe\Debugger = "Blocked"	regedit.exe

Executes dropped EXE 12 IoCs

Processes:

sg.tmpAutodeskLicensePatcherInstaller.exeAutodeskLicensePatcherInstaller.exesg.tmpService.exeEnd_v1.20.exeEnd_v1.20.exeEnd_v1.2.exeEnd_v1.20.exeEnd_v1.20.exelmgrd.exe

pid	process
2672	sg.tmp
528	AutodeskLicensePatcherInstaller.exe
548	AutodeskLicensePatcherInstaller.exe
3068	sg.tmp
608	Service.exe
2252	End_v1.20.exe
2304	End_v1.20.exe
1900	End_v1.2.exe
1284
616	End_v1.20.exe
1652	End_v1.20.exe
2308	lmgrd.exe

Loads dropped DLL 8 IoCs

Processes:

779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exeAutodeskLicensePatcherInstaller.exeEnd_v1.20.execmd.exe

pid	process
1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
528	AutodeskLicensePatcherInstaller.exe
528	AutodeskLicensePatcherInstaller.exe
2252	End_v1.20.exe
2252	End_v1.20.exe
2252	End_v1.20.exe
2252	End_v1.20.exe
3036	cmd.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1500-0-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2944-8-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2944-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherInstaller.exe	upx
behavioral1/memory/1500-42-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/528-46-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/548-55-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/548-58-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/528-104-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe	upx
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe	upx
behavioral1/memory/608-146-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/608-157-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2252-161-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2304-171-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2252-170-0x0000000002710000-0x000000000288F000-memory.dmp	upx
behavioral1/memory/2304-174-0x0000000000400000-0x000000000057F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\~1972774800949691536\End_v1.2.exe	upx
behavioral1/memory/1900-190-0x000000013F640000-0x000000014087F000-memory.dmp	upx
behavioral1/memory/1652-225-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/616-223-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2252-221-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1652-222-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/616-227-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1900-234-0x000000013F640000-0x000000014087F000-memory.dmp	upx
behavioral1/memory/1900-238-0x000000013F640000-0x000000014087F000-memory.dmp	upx

Drops file in Program Files directory 19 IoCs

Processes:

xcopy.exexcopy.exepowershell.exeService.exexcopy.exepowershell.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	powershell.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat	Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat	Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1848 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2704 powershell.exe
2924 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2332 schtasks.exe

pid	process
1848	sc.exe

pid	process
2704	powershell.exe
2924	powershell.exe

pid	process
2332	schtasks.exe

Kills process with taskkill 27 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1896	taskkill.exe
1212	taskkill.exe
2904	taskkill.exe
1364	taskkill.exe
2028	taskkill.exe
2796	taskkill.exe
2300	taskkill.exe
2012	taskkill.exe
800	taskkill.exe
1712	taskkill.exe
1204	taskkill.exe
2312	taskkill.exe
1748	taskkill.exe
292	taskkill.exe
2732	taskkill.exe
1500	taskkill.exe
752	taskkill.exe
2316	taskkill.exe
1508	taskkill.exe
2192	taskkill.exe
868	taskkill.exe
2500	taskkill.exe
2684	taskkill.exe
2716	taskkill.exe
1696	taskkill.exe
2808	taskkill.exe
2748	taskkill.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2408 regedit.exe
2004 regedit.exe
Runs net.exe
Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3052 PING.EXE
780 PING.EXE
1712 PING.EXE
2436 PING.EXE
1644 PING.EXE
2260 PING.EXE
1296 PING.EXE
772 PING.EXE
400 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

Processes:

msiexec.exeAutodeskLicensePatcherInstaller.exeService.exeEnd_v1.20.exe

pid process

2200 msiexec.exe
528 AutodeskLicensePatcherInstaller.exe
608 Service.exe
2252 End_v1.20.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2584 powershell.exe
2704 powershell.exe
2924 powershell.exe

pid	process
2408	regedit.exe
2004	regedit.exe

pid	process
3052	PING.EXE
780	PING.EXE
1712	PING.EXE
2436	PING.EXE
1644	PING.EXE
2260	PING.EXE
1296	PING.EXE
772	PING.EXE
400	PING.EXE

pid	process
2200	msiexec.exe
528	AutodeskLicensePatcherInstaller.exe
608	Service.exe
2252	End_v1.20.exe

pid	process
2584	powershell.exe
2704	powershell.exe
2924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exesg.tmptaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exemsiexec.exemsiexec.exeAutodeskLicensePatcherInstaller.exe

description	pid	process
Token: SeBackupPrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeRestorePrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: 33	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeIncBasePriorityPrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeCreateGlobalPrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: 33	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeIncBasePriorityPrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: 33	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeIncBasePriorityPrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeBackupPrivilege	2944	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeRestorePrivilege	2944	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: 33	2944	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeIncBasePriorityPrivilege	2944	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: 33	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeIncBasePriorityPrivilege	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
Token: SeRestorePrivilege	2672	sg.tmp
Token: 35	2672	sg.tmp
Token: SeSecurityPrivilege	2672	sg.tmp
Token: SeSecurityPrivilege	2672	sg.tmp
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2720	msiexec.exe
Token: SeTakeOwnershipPrivilege	2720	msiexec.exe
Token: SeSecurityPrivilege	2720	msiexec.exe
Token: SeCreateTokenPrivilege	2200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2200	msiexec.exe
Token: SeLockMemoryPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeMachineAccountPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeLoadDriverPrivilege	2200	msiexec.exe
Token: SeSystemProfilePrivilege	2200	msiexec.exe
Token: SeSystemtimePrivilege	2200	msiexec.exe
Token: SeProfSingleProcessPrivilege	2200	msiexec.exe
Token: SeIncBasePriorityPrivilege	2200	msiexec.exe
Token: SeCreatePagefilePrivilege	2200	msiexec.exe
Token: SeCreatePermanentPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeDebugPrivilege	2200	msiexec.exe
Token: SeAuditPrivilege	2200	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2200	msiexec.exe
Token: SeChangeNotifyPrivilege	2200	msiexec.exe
Token: SeRemoteShutdownPrivilege	2200	msiexec.exe
Token: SeUndockPrivilege	2200	msiexec.exe
Token: SeSyncAgentPrivilege	2200	msiexec.exe
Token: SeEnableDelegationPrivilege	2200	msiexec.exe
Token: SeManageVolumePrivilege	2200	msiexec.exe
Token: SeImpersonatePrivilege	2200	msiexec.exe
Token: SeCreateGlobalPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	528	AutodeskLicensePatcherInstaller.exe
Token: SeRestorePrivilege	528	AutodeskLicensePatcherInstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

End_v1.2.exe

pid process

1900 End_v1.2.exe
1900 End_v1.2.exe

pid	process
1900	End_v1.2.exe
1900	End_v1.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.execmd.exenet.exe

description	pid	process	target process
PID 1500 wrote to memory of 2684	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2684	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2684	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2684	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2944	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
PID 1500 wrote to memory of 2944	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
PID 1500 wrote to memory of 2944	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
PID 1500 wrote to memory of 2944	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
PID 1500 wrote to memory of 2672	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	sg.tmp
PID 1500 wrote to memory of 2672	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	sg.tmp
PID 1500 wrote to memory of 2672	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	sg.tmp
PID 1500 wrote to memory of 2672	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	sg.tmp
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 1500 wrote to memory of 2712	1500	779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe	cmd.exe
PID 2712 wrote to memory of 2452	2712	cmd.exe	chcp.com
PID 2712 wrote to memory of 2452	2712	cmd.exe	chcp.com
PID 2712 wrote to memory of 2452	2712	cmd.exe	chcp.com
PID 2712 wrote to memory of 2508	2712	cmd.exe	mode.com
PID 2712 wrote to memory of 2508	2712	cmd.exe	mode.com
PID 2712 wrote to memory of 2508	2712	cmd.exe	mode.com
PID 2712 wrote to memory of 2192	2712	cmd.exe	xcopy.exe
PID 2712 wrote to memory of 2192	2712	cmd.exe	xcopy.exe
PID 2712 wrote to memory of 2192	2712	cmd.exe	xcopy.exe
PID 2712 wrote to memory of 2408	2712	cmd.exe	regedit.exe
PID 2712 wrote to memory of 2408	2712	cmd.exe	regedit.exe
PID 2712 wrote to memory of 2408	2712	cmd.exe	regedit.exe
PID 2712 wrote to memory of 2468	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 2468	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 2468	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 2364	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 2364	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 2364	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 3012	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 3012	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 3012	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 556	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 556	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 556	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 2380	2712	cmd.exe	net.exe
PID 2712 wrote to memory of 2380	2712	cmd.exe	net.exe
PID 2712 wrote to memory of 2380	2712	cmd.exe	net.exe
PID 2380 wrote to memory of 2348	2380	net.exe	net1.exe
PID 2380 wrote to memory of 2348	2380	net.exe	net1.exe
PID 2380 wrote to memory of 2348	2380	net.exe	net1.exe
PID 2712 wrote to memory of 2316	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 2316	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 2316	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1712	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1712	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1712	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 292	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 292	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 292	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1896	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1896	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1896	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1204	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1204	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 1204	2712	cmd.exe	taskkill.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
"C:\Users\Admin\AppData\Local\Temp\779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\cmd.exe
cmd.exe /c set
2⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=5828502 "C:\Users\Admin\AppData\Local\Temp\~7112249032068062240.tmp",,C:\Users\Admin\AppData\Local\Temp\779d1fae1316bee12a401c906b1d374a855a0f50e8d3f8a5f44391727905e444.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Users\Admin\AppData\Local\Temp\~8728391609675323347~\sg.tmp
7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~7112249032068062240.tmp" -y -aoa -o"C:\AutodeskLicensePatcherUninstaller"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\cmd.exe
cmd /c ""C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherUninstaller.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\chcp.com
chcp 1254
3⤵
PID:2452

C:\Windows\system32\mode.com
mode con: cols=70 lines=15
3⤵
PID:2508

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherInstaller.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i
3⤵
PID:2192

C:\Windows\regedit.exe
regedit.exe /s "C:\AutodeskLicensePatcherUninstaller\Tweak.reg"
3⤵
- Runs .reg file with regedit
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
3⤵
PID:2468

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="AutodeskNLM"
3⤵
- Modifies Windows Firewall
PID:2364

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Allowed C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherInstaller.exe"
3⤵
- Modifies Windows Firewall
PID:3012

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name="Blocked C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherInstaller.exe"
3⤵
- Modifies Windows Firewall
PID:556

C:\Windows\system32\net.exe
net stop AdskLicensingService
3⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
4⤵
PID:2348

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmgrd.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /F /IM "adskflex.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmutil.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmtools.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\msiexec.exe
MsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\net.exe
net start AdskLicensingService
3⤵
PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
4⤵
PID:2240

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:3052

C:\Users\Admin\AppData\Local\Temp\AutodeskLicensePatcherInstaller.exe
C:\Users\Admin\AppData\Local\Temp\AutodeskLicensePatcherInstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\cmd.exe
cmd.exe /c set
4⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\AutodeskLicensePatcherInstaller.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=4909086 "C:\Users\Admin\AppData\Local\Temp\~7132415367923558782.tmp",,C:\Users\Admin\AppData\Local\Temp\AutodeskLicensePatcherInstaller.exe
4⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Local\Temp\~3272033911611407370~\sg.tmp
7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~7132415367923558782.tmp" -y -aoa -o"C:\AutodeskLicensePatcherInstaller"
4⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\cmd.exe
cmd /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "
4⤵
PID:1820

C:\Windows\system32\chcp.com
chcp 1254
5⤵
PID:1344

C:\Windows\system32\mode.com
mode con: cols=70 lines=15
5⤵
PID:1516

C:\Windows\system32\net.exe
net stop AdskLicensingService
5⤵
PID:972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
6⤵
PID:568

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
5⤵
- Kills process with taskkill
PID:2808

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
5⤵
- Kills process with taskkill
PID:1364

C:\Windows\system32\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
5⤵
- Kills process with taskkill
PID:2028

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
5⤵
- Kills process with taskkill
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
5⤵
- Kills process with taskkill
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmgrd.exe"
5⤵
- Kills process with taskkill
PID:2796

C:\Windows\system32\taskkill.exe
taskkill /F /IM "adskflex.exe"
5⤵
- Kills process with taskkill
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmutil.exe"
5⤵
- Kills process with taskkill
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmtools.exe"
5⤵
- Kills process with taskkill
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\regedit.exe
regedit.exe /s "C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg"
5⤵
- Sets file execution options in registry
- Runs .reg file with regedit
PID:2004

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:1896

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:2148

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:1704

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:2232

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:2216

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:1724

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\" /Y /K /R /S /H /i
5⤵
- Drops file in Program Files directory
PID:2308

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i
5⤵
PID:2708

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i
5⤵
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
5⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
6⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "(gc License.lic) -replace 'MAC', ' ' | Out-File -encoding ASCII License.lic"
5⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\system32\sc.exe
sc config "AdskLicensingService" Start= Auto
5⤵
- Launches sc.exe
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
5⤵
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /XML C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml /tn "\Microsoft\Windows\Autodesk\Autodesk"
5⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
5⤵
- Modifies Windows Firewall
PID:3056

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
5⤵
- Modifies Windows Firewall
PID:808

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
5⤵
- Modifies Windows Firewall
PID:1816

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
5⤵
- Modifies Windows Firewall
PID:2824

C:\Windows\system32\net.exe
net start AdskLicensingService
5⤵
PID:1968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
6⤵
PID:896

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat" "
6⤵
- Loads dropped DLL
PID:3036

C:\Windows\SysWOW64\chcp.com
chcp 1254
7⤵
PID:3068

C:\Windows\SysWOW64\mode.com
mode con: cols=70 lines=12
7⤵
PID:528

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
7⤵
- Runs ping.exe
PID:780

C:\Windows\SysWOW64\net.exe
net stop AdskLicensingService
7⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
8⤵
PID:2432

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
7⤵
- Kills process with taskkill
PID:2500

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
7⤵
- Kills process with taskkill
PID:2732

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
7⤵
- Kills process with taskkill
PID:800

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
7⤵
- Kills process with taskkill
PID:2192

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
7⤵
- Kills process with taskkill
PID:2684

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmgrd.exe"
7⤵
- Kills process with taskkill
PID:1500

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "adskflex.exe"
7⤵
- Kills process with taskkill
PID:2904

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmutil.exe"
7⤵
- Kills process with taskkill
PID:868

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmtools.exe"
7⤵
- Kills process with taskkill
PID:752

C:\Windows\SysWOW64\net.exe
net start AdskLicensingService
7⤵
PID:1724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
8⤵
PID:1180

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
lmgrd.exe -z -c License.lic
7⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
5⤵
- Runs ping.exe
PID:2260

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2252

C:\Windows\system32\cmd.exe
cmd.exe /c set
6⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~4048627415923402272.tmp",,C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
6⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Temp\~1972774800949691536\End_v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\~1972774800949691536\End_v1.2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~898191973683564984.cmd"
6⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~898191973683564984.cmd"
7⤵
PID:2552

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
8⤵
- Runs ping.exe
PID:1712

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
8⤵
- Runs ping.exe
PID:2436

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6476421180564468649.cmd"
6⤵
- Executes dropped EXE
PID:616

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~6476421180564468649.cmd"
7⤵
PID:1920

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
8⤵
- Runs ping.exe
PID:1296

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
8⤵
- Runs ping.exe
PID:772

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
8⤵
- Runs ping.exe
PID:1644

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
8⤵
- Runs ping.exe
PID:400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat

Filesize
7KB

MD5
5f9d018c9516c12cfe4585a4ba3a2dc9

SHA1
6e8349ff419df788eff4137ec3b2cb600af17fe7

SHA256
1767e7a1d08cfe7b867b401f8fd682e22b4c511cdd2c7ef36aed7c1d3a3f4f2e

SHA512
825e28015bcc00a9d335b144cadf5adf6cfc526801140bc7a6cbee8e9813b41bd6c49205404c376e678f8fcf83086ee3b65ec40728f469afcf109c059c9109c6

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe

Filesize
3.9MB

MD5
abdcd215ed468f7282c196a8a9e473d7

SHA1
5702dc33da4bc58627bfc9e8b36fd8d82dba3dde

SHA256
e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e

SHA512
6fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic

Filesize
302KB

MD5
b95947dc716b46b8865d6ad72e348252

SHA1
7b9dfbfbb6798707ade19592db60e013f4dafaee

SHA256
f9bea0f8ac46499daa2f7608e014ff42e1a811dfe9c373e8ca1e04f829c9f6eb

SHA512
e17a3a80b2367883dff7383e90e7c23366e6da3a40d76bb6b4dcb1ded072fcded0c24a1e9290adc26f6ddada343ec2ecd7ff43954112283c7d9aac46c69920bd

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe

Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe

Filesize
1.1MB

MD5
219f8cebef26f1373062357b2f4a8489

SHA1
c77dfc5aa7b908533b6ecba8d8475dcc3545b416

SHA256
cf025ecfb3556e334dde501b95485998de9e1b6a06ccbd56ffa1345d6b5a3973

SHA512
2f9d50c51c74add14c4a64425e36b4a289da76e85aaf05bd8ef8c421cbaa6811a8f43a23513b40248fe71ae17301e8170625d3a72299a189ca5261d816d6b0ef

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll

Filesize
127KB

MD5
5c51cc926c76b23830d27a97445bf734

SHA1
51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d

SHA256
655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb

SHA512
ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll

Filesize
73KB

MD5
44774fafd716fa45c7a0ccb3b14d59a6

SHA1
9de0f9b49e53a63757a181b235a3e18f6585b75b

SHA256
4739abff4da13a27f2421452007c9d2340bf4f9e9a601ef0ec9f1b9d64d1d365

SHA512
983bd89429c6dbe9ff94f5e4727982e580a4c696a81dab581be701be1600d8eb8bfa00b0e86b4c99bfe4f76ac11ba3bec8fe1138f864668c7ca9e6096c1222fd

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe

Filesize
225KB

MD5
cb5ea38fa0c7a9c053e4e8aa7bc17d76

SHA1
d966e7ae2e68e4a488f0d71eb00dccb4d940f5a4

SHA256
9ef7bfbb752b284e1b6d86d175f9573c1dfffe0309d3880f5bb7437bc8069db5

SHA512
f9513530c76af03e4260d20be3f89db96534c017c9a2fe1c844315af55962c29c1c2655b6f7f1b56d7e6fd1081dab6aeb0e43b57649aeff0aba5bd79481e91ff

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml

Filesize
3KB

MD5
dbfed3ff9dc6ca06e2cf0e2e63098d66

SHA1
a698e52c166f5087ee60968a77261c7608e859c5

SHA256
409a178ed9b9c0929fd9f3b8c3a58afd1b3370c53baf49b4956cf9a79f50d398

SHA512
6eef1b9075a683a3eee30fbabed658efc970cdec6a234e60c2739440c7ee2d6a7e6b8f4d68bef9030014685d8a0b3d3d62dd62887e198b4675bd570482400414

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg

Filesize
2KB

MD5
201a1d31a58330dd6de3bb7f237b405c

SHA1
5cd58cf2c10bd5498ec228a4958a4efcfe5d07b1

SHA256
a2867cb4a7671cbebe5c53bd355a93cfd7c8f6b1e050a8524dee9c5530134655

SHA512
17367569d9358b3f4962fe25b54dba4e9e2f5a580d43d318bf30cd66181a8f9302f83fce453b211b86b3b6b079680dc487b90d42c80be20d05ff4014550a69b8

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json

Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherInstaller.exe

Filesize
5.8MB

MD5
51690fe04f14ae35d4347876fa1e0014

SHA1
12f92ca4df31967a80102feb57764ee3f0149111

SHA256
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706

SHA512
52b07d197130fd87cfc84b2259d1fa14d4301fa399932da144a61ad7d495ae8c18abf1a118fca9baf76e5f749940ca58d77fd33223498683eac91cb5d97c7d22

Download Submit
C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherUninstaller.bat

Filesize
2KB

MD5
46350c331ba2fd784c3611c84c992f10

SHA1
290eaa3fe01cb1d5834269a44f6a736a071e7064

SHA256
356a5474be2934dfeda3366754a4b7f55f9074fa43adcec0badfc06163d853f3

SHA512
b5044598b7ff5403379ed70b3366d7fa135fde545a3a412b46d56915a00e4c777e709ada4237d1beb618e718103fdb1700cf407d0bf0902ae3b7ea5127493d56

Download Submit
C:\AutodeskLicensePatcherUninstaller\Tweak.reg

Filesize
4KB

MD5
d13c68da817646e43133b70a66f6a516

SHA1
4188dc3886c3e365ffe2740d844042f31bc61e33

SHA256
33c988b80bd4bb17ba22b5012d3eb05c38666d174e21eef8e21aa942955699b1

SHA512
0b1bfe750f3e63fc4114fa278b0e33ce410b5356b27fb2f4309d749823b0d22f04718b9d19be567e36173ce1ea9d15234cf535f20693c84f844e4047c49b868d

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic

Filesize
302KB

MD5
2d0301416fc8b6de5c1411613067cd18

SHA1
070c8fe70ff7b277e2b9533a68c7a415622d1abb

SHA256
7a0d6243d5398d83c5c10bed7dca99f4652bcc91e0ca0e49425055e4f4ac79ec

SHA512
79a30b8c2a9e44bfe4376e8d0f8c86ea4ed26453d3d4e516c5814fc0399135f1a2fbf7757bf6e5f4a792507d34e4a2342a8a0b5d769dd59f7577266ca94ca626

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat

Filesize
1KB

MD5
e13cd899ca7bcc58f33d0c4ed5eafe5b

SHA1
4cd518cc494384982cced62366ccc24b86ec093f

SHA256
90a9a38071c84b2dcb49be6a3ddfc424932bcf8d8a4a66a173ab4030470cf7ac

SHA512
c4dc5801d4f4867ded01f0f169b8c0ba197bcbe8e03b2f26d66510083cfa179d750b3c35f3b2e6d6d723a07062b8e0ca86dca1d85745178009c83fbffac47e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1972774800949691536\End_v1.2.exe

Filesize
3.5MB

MD5
939261459f9c29343dd1d6bd51f3709e

SHA1
b1110b91465ebc137402a3c30842b0e87e870365

SHA256
b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028

SHA512
697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4048627415923402272.tmp

Filesize
3.1MB

MD5
80ab2f749a3753866a20b5b87375fe43

SHA1
bac069abf966cf486687845c74eed0cf7aee036e

SHA256
8f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe

SHA512
2c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6476421180564468649.cmd

Filesize
373B

MD5
6166cac6753a6baa7c3d834613e55784

SHA1
2404d1c62c7236a2133fb146ad3939a7e55f295b

SHA256
fcc1b38ceb618aff67033ad29ad68092777e02250c80f5f94c66b737014d20e0

SHA512
10fe8b3cccba93e527ef06a5e4a0b10b6064b7a39d36d382878652cc9cdd25940ac59f8d90cb51cfd94203f26006999b37f22c1c2ad0e30469d116512c9d7504

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7112249032068062240.tmp

Filesize
5.6MB

MD5
e05a959c7931c81b616591cf6c66c4e4

SHA1
e4e946f07bc2da4f2e3acc01557e9dfe71b7a852

SHA256
31db80aa5ad26eccbd83fef5fe4b6d55c4009a26124e0b5cb1c67cae2375f54b

SHA512
aa58b769111c5cfae76dbd00d471aef96be797700e14981d43db75537e5174f01d5b09bd06fd526b3835e83d44df1fc31b414cac76a364ce32f20b2e118b0fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7132415367923558782.tmp

Filesize
4.7MB

MD5
2cd2e801b30c7a361891122d117e2b81

SHA1
5a039cf40ceacdee85cc62b83be305cff64d906f

SHA256
4377a01c1e30f102dac5ff4f304190f583b6fba39533752e848b794dcb9bbc23

SHA512
0c14cbb783e05df02c8625b140b0dafbea1fad84baf19862efc4a11ee61791fc41f9e41a56525b124411fc220aeae9132e3662c897cf84e7dc4dd9bc727a9c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~898191973683564984.cmd

Filesize
356B

MD5
8f570c384b39a4f918d7157e2e0a35f1

SHA1
bd38286dd3162dab79ee02ee4490e8e973a1af4f

SHA256
425c65d0f4f503046c42900138c4c4f6597f215533d845cf008c6dfde71f62e5

SHA512
623b9eb35e1ac23468f0721de0e3b43191bd1ce1e3add3e0e1c111f304a78614f57451a912036adfc4cc9b81b63fa3be8d5564e6fce3d7c1b857a0fb908cd6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3bf15944005120e6458d8956016416b1

SHA1
deca2adf4ccd64af6a9452af968f3298e2b4950b

SHA256
f4e38f76494ba21927ff971b164952de2cb49d0295ec0884ffa9ccb47115e9f2

SHA512
f835812c5673d2518d758d6ab214a534c30450dbef9706bd5b601368e251cf7868327f605ab3b9a7d21138caf6f568b680799bd670e5dde62e6f83ff364bdf5d

Download Submit
\Users\Admin\AppData\Local\Temp\~8728391609675323347~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/528-104-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/528-46-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/548-58-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/548-55-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/608-157-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/608-146-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/616-223-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/616-227-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1500-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1500-42-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1500-7-0x00000000028E0000-0x0000000002ABE000-memory.dmp

Filesize
1.9MB

Download
memory/1652-222-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1652-225-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1900-234-0x000000013F640000-0x000000014087F000-memory.dmp

Filesize
18.2MB

Download
memory/1900-190-0x000000013F640000-0x000000014087F000-memory.dmp

Filesize
18.2MB

Download
memory/1900-238-0x000000013F640000-0x000000014087F000-memory.dmp

Filesize
18.2MB

Download
memory/2252-221-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2252-189-0x0000000003340000-0x000000000457F000-memory.dmp

Filesize
18.2MB

Download
memory/2252-170-0x0000000002710000-0x000000000288F000-memory.dmp

Filesize
1.5MB

Download
memory/2252-161-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2252-217-0x0000000002E20000-0x0000000002F9F000-memory.dmp

Filesize
1.5MB

Download
memory/2304-174-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2304-171-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2584-110-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2584-109-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2704-135-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2704-134-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/2944-8-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2944-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download