895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Size

5.8MB
MD5

51690fe04f14ae35d4347876fa1e0014
SHA1

12f92ca4df31967a80102feb57764ee3f0149111
SHA256

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706
SHA512

52b07d197130fd87cfc84b2259d1fa14d4301fa399932da144a61ad7d495ae8c18abf1a118fca9baf76e5f749940ca58d77fd33223498683eac91cb5d97c7d22
SSDEEP

98304:unnicbdavh/oXUE+yZExTdVY7yhHD0uCqH5peY3+cVe1+2CjYnnnax5LCghRO6EV:4ARsdjZEve2hHDDrBg1+2dnn8RX23H

Score

8^/10

evasion execution persistence upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2732 netsh.exe
2720 netsh.exe
2656 netsh.exe
2332 netsh.exe

pid	process
2732	netsh.exe
2720	netsh.exe
2656	netsh.exe
2332	netsh.exe

Sets file execution options in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe\Debugger = "Blocked"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe\Debugger = "Blocked"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe	regedit.exe

Executes dropped EXE 9 IoCs

Processes:

sg.tmpService.exeEnd_v1.20.exeEnd_v1.20.exeEnd_v1.2.exelmgrd.exeEnd_v1.20.exeEnd_v1.20.exe

pid process

2148 sg.tmp
2176 Service.exe
2852 End_v1.20.exe
2224 End_v1.20.exe
1628 End_v1.2.exe
1196
2328 lmgrd.exe
1904 End_v1.20.exe
1392 End_v1.20.exe

pid	process
2148	sg.tmp
2176	Service.exe
2852	End_v1.20.exe
2224	End_v1.20.exe
1628	End_v1.2.exe
1196
2328	lmgrd.exe
1904	End_v1.20.exe
1392	End_v1.20.exe

Loads dropped DLL 6 IoCs

Processes:

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exeEnd_v1.20.execmd.exe

pid	process
3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
2852	End_v1.20.exe
2852	End_v1.20.exe
2584	cmd.exe
2852	End_v1.20.exe
2852	End_v1.20.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3056-0-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2612-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2612-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3056-55-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe	upx
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe	upx
behavioral1/memory/2176-98-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2176-109-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2852-113-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2224-122-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2224-124-0x0000000000400000-0x000000000057F000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\~3248783551537819330\End_v1.2.exe	upx
behavioral1/memory/1628-139-0x000000013F8E0000-0x0000000140B1F000-memory.dmp	upx
behavioral1/memory/1904-182-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1392-180-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1904-177-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/2852-186-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1392-188-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1628-190-0x000000013F8E0000-0x0000000140B1F000-memory.dmp	upx
behavioral1/memory/1628-193-0x000000013F8E0000-0x0000000140B1F000-memory.dmp	upx

Drops file in Program Files directory 19 IoCs

Processes:

xcopy.exexcopy.exepowershell.exeService.exexcopy.exexcopy.exexcopy.exepowershell.exexcopy.exexcopy.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat	Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	powershell.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat	Service.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2256 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2932 powershell.exe
2180 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

812 schtasks.exe

pid	process
2256	sc.exe

pid	process
2932	powershell.exe
2180	powershell.exe

pid	process
812	schtasks.exe

Kills process with taskkill 18 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1776	taskkill.exe
644	taskkill.exe
2976	taskkill.exe
3004	taskkill.exe
1976	taskkill.exe
1680	taskkill.exe
748	taskkill.exe
2372	taskkill.exe
2440	taskkill.exe
2856	taskkill.exe
2632	taskkill.exe
2920	taskkill.exe
2140	taskkill.exe
1612	taskkill.exe
2780	taskkill.exe
628	taskkill.exe
2560	taskkill.exe
2240	taskkill.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

304 regedit.exe
Runs net.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

876 PING.EXE
3048 PING.EXE
1948 PING.EXE
556 PING.EXE
2424 PING.EXE
316 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

Service.exeEnd_v1.20.exe

pid process

2176 Service.exe
2852 End_v1.20.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2744 powershell.exe
2932 powershell.exe
2180 powershell.exe

pid	process
304	regedit.exe

pid	process
876	PING.EXE
3048	PING.EXE
1948	PING.EXE
556	PING.EXE
2424	PING.EXE
316	PING.EXE

pid	process
2176	Service.exe
2852	End_v1.20.exe

pid	process
2744	powershell.exe
2932	powershell.exe
2180	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exesg.tmptaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exemsiexec.exepowershell.exepowershell.exeEnd_v1.20.exeEnd_v1.20.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeEnd_v1.20.exe

description	pid	process
Token: SeBackupPrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeRestorePrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeCreateGlobalPrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeBackupPrivilege	2612	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeRestorePrivilege	2612	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	2612	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	2612	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeRestorePrivilege	2148	sg.tmp
Token: 35	2148	sg.tmp
Token: SeSecurityPrivilege	2148	sg.tmp
Token: SeSecurityPrivilege	2148	sg.tmp
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeRestorePrivilege	1184	msiexec.exe
Token: SeTakeOwnershipPrivilege	1184	msiexec.exe
Token: SeSecurityPrivilege	1184	msiexec.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeBackupPrivilege	2852	End_v1.20.exe
Token: SeRestorePrivilege	2852	End_v1.20.exe
Token: 33	2852	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	2852	End_v1.20.exe
Token: SeCreateGlobalPrivilege	2852	End_v1.20.exe
Token: 33	2852	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	2852	End_v1.20.exe
Token: 33	2852	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	2852	End_v1.20.exe
Token: SeBackupPrivilege	2224	End_v1.20.exe
Token: SeRestorePrivilege	2224	End_v1.20.exe
Token: 33	2224	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	2224	End_v1.20.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: 33	2852	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	2852	End_v1.20.exe
Token: 33	2852	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	2852	End_v1.20.exe
Token: SeBackupPrivilege	1904	End_v1.20.exe
Token: SeRestorePrivilege	1904	End_v1.20.exe
Token: 33	1904	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	1904	End_v1.20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

End_v1.2.exe

pid process

1628 End_v1.2.exe
1628 End_v1.2.exe

pid	process
1628	End_v1.2.exe
1628	End_v1.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.execmd.exenet.exe

description	pid	process	target process
PID 3056 wrote to memory of 1836	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 1836	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 1836	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 1836	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 2612	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 3056 wrote to memory of 2612	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 3056 wrote to memory of 2612	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 3056 wrote to memory of 2612	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 3056 wrote to memory of 2148	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 3056 wrote to memory of 2148	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 3056 wrote to memory of 2148	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 3056 wrote to memory of 2148	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3056 wrote to memory of 3060	3056	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 3060 wrote to memory of 2584	3060	cmd.exe	chcp.com
PID 3060 wrote to memory of 2584	3060	cmd.exe	chcp.com
PID 3060 wrote to memory of 2584	3060	cmd.exe	chcp.com
PID 3060 wrote to memory of 2528	3060	cmd.exe	mode.com
PID 3060 wrote to memory of 2528	3060	cmd.exe	mode.com
PID 3060 wrote to memory of 2528	3060	cmd.exe	mode.com
PID 3060 wrote to memory of 2524	3060	cmd.exe	net.exe
PID 3060 wrote to memory of 2524	3060	cmd.exe	net.exe
PID 3060 wrote to memory of 2524	3060	cmd.exe	net.exe
PID 2524 wrote to memory of 2544	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2544	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2544	2524	net.exe	net1.exe
PID 3060 wrote to memory of 2560	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2560	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2560	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2440	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2440	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2440	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2856	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2856	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2856	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2976	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2976	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2976	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 3004	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 3004	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 3004	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2140	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2140	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2140	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 1612	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 1612	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 1612	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 1976	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 1976	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 1976	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2632	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2632	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2632	3060	cmd.exe	taskkill.exe
PID 3060 wrote to memory of 2744	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 2744	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 2744	3060	cmd.exe	powershell.exe
PID 3060 wrote to memory of 304	3060	cmd.exe	regedit.exe
PID 3060 wrote to memory of 304	3060	cmd.exe	regedit.exe
PID 3060 wrote to memory of 304	3060	cmd.exe	regedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
"C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\system32\cmd.exe
cmd.exe /c set
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=4909086 "C:\Users\Admin\AppData\Local\Temp\~1816861526513332339.tmp",,C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\~8984356180338401257~\sg.tmp
7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~1816861526513332339.tmp" -y -aoa -o"C:\AutodeskLicensePatcherInstaller"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\cmd.exe
cmd /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\chcp.com
chcp 1254
3⤵
PID:2584

C:\Windows\system32\mode.com
mode con: cols=70 lines=15
3⤵
PID:2528

C:\Windows\system32\net.exe
net stop AdskLicensingService
3⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
4⤵
PID:2544

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmgrd.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\taskkill.exe
taskkill /F /IM "adskflex.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmutil.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmtools.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\regedit.exe
regedit.exe /s "C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg"
3⤵
- Sets file execution options in registry
- Runs .reg file with regedit
PID:304

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:1980

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:2496

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:892

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:604

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:2136

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:1644

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:1020

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i
3⤵
PID:1860

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i
3⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
3⤵
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
4⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "(gc License.lic) -replace 'MAC', ' ' | Out-File -encoding ASCII License.lic"
3⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\sc.exe
sc config "AdskLicensingService" Start= Auto
3⤵
- Launches sc.exe
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
3⤵
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /XML C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml /tn "\Microsoft\Windows\Autodesk\Autodesk"
3⤵
- Creates scheduled task(s)
PID:812

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
3⤵
- Modifies Windows Firewall
PID:2332

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
3⤵
- Modifies Windows Firewall
PID:2732

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
3⤵
- Modifies Windows Firewall
PID:2720

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
3⤵
- Modifies Windows Firewall
PID:2656

C:\Windows\system32\net.exe
net start AdskLicensingService
3⤵
PID:2828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
4⤵
PID:2688

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat" "
4⤵
- Loads dropped DLL
PID:2584

C:\Windows\SysWOW64\chcp.com
chcp 1254
5⤵
PID:2768

C:\Windows\SysWOW64\mode.com
mode con: cols=70 lines=12
5⤵
PID:1928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:1948

C:\Windows\SysWOW64\net.exe
net stop AdskLicensingService
5⤵
PID:536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
6⤵
PID:1916

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmgrd.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "adskflex.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmutil.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmtools.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\net.exe
net start AdskLicensingService
5⤵
PID:872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
6⤵
PID:1092

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
lmgrd.exe -z -c License.lic
5⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:3048

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\cmd.exe
cmd.exe /c set
4⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~8348444208484744703.tmp",,C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Users\Admin\AppData\Local\Temp\~3248783551537819330\End_v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\~3248783551537819330\End_v1.2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~4608671459778382504.cmd"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~4608671459778382504.cmd"
5⤵
PID:1780

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:556

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:2424

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:316

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:876

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~2870058406467251777.cmd"
4⤵
- Executes dropped EXE
PID:1392

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~2870058406467251777.cmd"
5⤵
PID:2408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat

Filesize
7KB

MD5
84d6a67ba1c874a5469a1203d4d986ef

SHA1
966a989677ea79c32f6dd1fbdb5a7eb11ee274af

SHA256
2be64d5f70118bfb932b604c525b7075ed76659a4442135608abe1b6d12e1328

SHA512
2834a597e7f10cc5eb40c1dd74c806908b4d2f9fbf77f3d58b8d096608a052f5d5fd5fdbedd932bc26133e3fee2c75a3393a1c61b0c6bcdd3bcd9038b072ae0a

Download Submit
C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat

Filesize
7KB

MD5
5f9d018c9516c12cfe4585a4ba3a2dc9

SHA1
6e8349ff419df788eff4137ec3b2cb600af17fe7

SHA256
1767e7a1d08cfe7b867b401f8fd682e22b4c511cdd2c7ef36aed7c1d3a3f4f2e

SHA512
825e28015bcc00a9d335b144cadf5adf6cfc526801140bc7a6cbee8e9813b41bd6c49205404c376e678f8fcf83086ee3b65ec40728f469afcf109c059c9109c6

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe

Filesize
3.9MB

MD5
abdcd215ed468f7282c196a8a9e473d7

SHA1
5702dc33da4bc58627bfc9e8b36fd8d82dba3dde

SHA256
e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e

SHA512
6fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic

Filesize
302KB

MD5
b95947dc716b46b8865d6ad72e348252

SHA1
7b9dfbfbb6798707ade19592db60e013f4dafaee

SHA256
f9bea0f8ac46499daa2f7608e014ff42e1a811dfe9c373e8ca1e04f829c9f6eb

SHA512
e17a3a80b2367883dff7383e90e7c23366e6da3a40d76bb6b4dcb1ded072fcded0c24a1e9290adc26f6ddada343ec2ecd7ff43954112283c7d9aac46c69920bd

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe

Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe

Filesize
1.1MB

MD5
219f8cebef26f1373062357b2f4a8489

SHA1
c77dfc5aa7b908533b6ecba8d8475dcc3545b416

SHA256
cf025ecfb3556e334dde501b95485998de9e1b6a06ccbd56ffa1345d6b5a3973

SHA512
2f9d50c51c74add14c4a64425e36b4a289da76e85aaf05bd8ef8c421cbaa6811a8f43a23513b40248fe71ae17301e8170625d3a72299a189ca5261d816d6b0ef

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll

Filesize
127KB

MD5
5c51cc926c76b23830d27a97445bf734

SHA1
51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d

SHA256
655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb

SHA512
ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll

Filesize
73KB

MD5
44774fafd716fa45c7a0ccb3b14d59a6

SHA1
9de0f9b49e53a63757a181b235a3e18f6585b75b

SHA256
4739abff4da13a27f2421452007c9d2340bf4f9e9a601ef0ec9f1b9d64d1d365

SHA512
983bd89429c6dbe9ff94f5e4727982e580a4c696a81dab581be701be1600d8eb8bfa00b0e86b4c99bfe4f76ac11ba3bec8fe1138f864668c7ca9e6096c1222fd

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe

Filesize
225KB

MD5
cb5ea38fa0c7a9c053e4e8aa7bc17d76

SHA1
d966e7ae2e68e4a488f0d71eb00dccb4d940f5a4

SHA256
9ef7bfbb752b284e1b6d86d175f9573c1dfffe0309d3880f5bb7437bc8069db5

SHA512
f9513530c76af03e4260d20be3f89db96534c017c9a2fe1c844315af55962c29c1c2655b6f7f1b56d7e6fd1081dab6aeb0e43b57649aeff0aba5bd79481e91ff

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml

Filesize
3KB

MD5
dbfed3ff9dc6ca06e2cf0e2e63098d66

SHA1
a698e52c166f5087ee60968a77261c7608e859c5

SHA256
409a178ed9b9c0929fd9f3b8c3a58afd1b3370c53baf49b4956cf9a79f50d398

SHA512
6eef1b9075a683a3eee30fbabed658efc970cdec6a234e60c2739440c7ee2d6a7e6b8f4d68bef9030014685d8a0b3d3d62dd62887e198b4675bd570482400414

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg

Filesize
2KB

MD5
201a1d31a58330dd6de3bb7f237b405c

SHA1
5cd58cf2c10bd5498ec228a4958a4efcfe5d07b1

SHA256
a2867cb4a7671cbebe5c53bd355a93cfd7c8f6b1e050a8524dee9c5530134655

SHA512
17367569d9358b3f4962fe25b54dba4e9e2f5a580d43d318bf30cd66181a8f9302f83fce453b211b86b3b6b079680dc487b90d42c80be20d05ff4014550a69b8

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json

Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic

Filesize
302KB

MD5
2d0301416fc8b6de5c1411613067cd18

SHA1
070c8fe70ff7b277e2b9533a68c7a415622d1abb

SHA256
7a0d6243d5398d83c5c10bed7dca99f4652bcc91e0ca0e49425055e4f4ac79ec

SHA512
79a30b8c2a9e44bfe4376e8d0f8c86ea4ed26453d3d4e516c5814fc0399135f1a2fbf7757bf6e5f4a792507d34e4a2342a8a0b5d769dd59f7577266ca94ca626

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic

Filesize
192KB

MD5
d6f6987326ae63d11e495fc549e605d8

SHA1
086237bcca95bc4c6c5fae779724bfa4f91c9da4

SHA256
9c3906b45dca6904353d092c74a029df9fc2831dd0011a01d445fa2fde36c6bf

SHA512
208509e901a90612e757f8b787fa7c01791ae8cd874212d297cf23356257d7a978640a6ee1812ea88242f7937f0ee34d7fb6bc81da9f5aca4971a03b1b984896

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat

Filesize
1KB

MD5
e13cd899ca7bcc58f33d0c4ed5eafe5b

SHA1
4cd518cc494384982cced62366ccc24b86ec093f

SHA256
90a9a38071c84b2dcb49be6a3ddfc424932bcf8d8a4a66a173ab4030470cf7ac

SHA512
c4dc5801d4f4867ded01f0f169b8c0ba197bcbe8e03b2f26d66510083cfa179d750b3c35f3b2e6d6d723a07062b8e0ca86dca1d85745178009c83fbffac47e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1816861526513332339.tmp

Filesize
4.7MB

MD5
2cd2e801b30c7a361891122d117e2b81

SHA1
5a039cf40ceacdee85cc62b83be305cff64d906f

SHA256
4377a01c1e30f102dac5ff4f304190f583b6fba39533752e848b794dcb9bbc23

SHA512
0c14cbb783e05df02c8625b140b0dafbea1fad84baf19862efc4a11ee61791fc41f9e41a56525b124411fc220aeae9132e3662c897cf84e7dc4dd9bc727a9c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2870058406467251777.cmd

Filesize
356B

MD5
8f570c384b39a4f918d7157e2e0a35f1

SHA1
bd38286dd3162dab79ee02ee4490e8e973a1af4f

SHA256
425c65d0f4f503046c42900138c4c4f6597f215533d845cf008c6dfde71f62e5

SHA512
623b9eb35e1ac23468f0721de0e3b43191bd1ce1e3add3e0e1c111f304a78614f57451a912036adfc4cc9b81b63fa3be8d5564e6fce3d7c1b857a0fb908cd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4608671459778382504.cmd

Filesize
373B

MD5
7990ee501fec35a1b481f24f374b435d

SHA1
eac7a65dc982af865f724a222b7f6ffdc237e1bd

SHA256
9277f46e6c736e2b7bb0d56910c1c63364b51ce696f9508660249555fcce4946

SHA512
448af05ceb1a01d7a07a5d87d9c53788f909c7f021c144fc4e964ec98f5267ebb0a48bd75ad0698f4dc8829ed246a8a8ea7369c35eb73eb94ed332e0b6559423

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8348444208484744703.tmp

Filesize
3.1MB

MD5
80ab2f749a3753866a20b5b87375fe43

SHA1
bac069abf966cf486687845c74eed0cf7aee036e

SHA256
8f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe

SHA512
2c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2630d33674e431da759b846b85bc8a4f

SHA1
bf867820306ad077974b6c4796eeb32a30501d2f

SHA256
b59b65f50811452cfc4478b0a6e045983120a84ba341d13b531a11a8e0e23a57

SHA512
beed1d7afb3e026258351a3ae375df54cc9532e29039ef9d8c1566f009f492eed71e3d400fe1fca6843915a26ec018982f916b5039466fe41f49308e57ad5d8a

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\~3248783551537819330\End_v1.2.exe

Filesize
3.5MB

MD5
939261459f9c29343dd1d6bd51f3709e

SHA1
b1110b91465ebc137402a3c30842b0e87e870365

SHA256
b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028

SHA512
697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db

Download Submit
\Users\Admin\AppData\Local\Temp\~8984356180338401257~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/1392-188-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1392-180-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1628-193-0x000000013F8E0000-0x0000000140B1F000-memory.dmp

Filesize
18.2MB

Download
memory/1628-190-0x000000013F8E0000-0x0000000140B1F000-memory.dmp

Filesize
18.2MB

Download
memory/1628-139-0x000000013F8E0000-0x0000000140B1F000-memory.dmp

Filesize
18.2MB

Download
memory/1904-177-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1904-182-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2176-109-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2176-98-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-124-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2224-122-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2612-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2612-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2744-61-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2744-60-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2852-186-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2852-163-0x00000000031F0000-0x000000000336F000-memory.dmp

Filesize
1.5MB

Download
memory/2852-178-0x0000000003680000-0x00000000037FF000-memory.dmp

Filesize
1.5MB

Download
memory/2852-113-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2852-138-0x0000000003680000-0x00000000048BF000-memory.dmp

Filesize
18.2MB

Download
memory/2932-86-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2932-85-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/3056-55-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3056-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download