Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 14:34
Behavioral task
behavioral1
Sample
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Resource
win10v2004-20240426-en
General
-
Target
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
-
Size
5.8MB
-
MD5
51690fe04f14ae35d4347876fa1e0014
-
SHA1
12f92ca4df31967a80102feb57764ee3f0149111
-
SHA256
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706
-
SHA512
52b07d197130fd87cfc84b2259d1fa14d4301fa399932da144a61ad7d495ae8c18abf1a118fca9baf76e5f749940ca58d77fd33223498683eac91cb5d97c7d22
-
SSDEEP
98304:unnicbdavh/oXUE+yZExTdVY7yhHD0uCqH5peY3+cVe1+2CjYnnnax5LCghRO6EV:4ARsdjZEve2hHDDrBg1+2dnn8RX23H
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 456 netsh.exe 4460 netsh.exe 4008 netsh.exe 1000 netsh.exe -
Sets file execution options in registry 2 TTPs 10 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe\Debugger = "Blocked" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe\Debugger = "Blocked" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe\Debugger = "Blocked" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe\Debugger = "Blocked" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe\Debugger = "Blocked" regedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Service.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Service.exe -
Executes dropped EXE 9 IoCs
Processes:
sg.tmpService.exeEnd_v1.20.exeEnd_v1.20.exeEnd_v1.2.exeEnd_v1.20.exeEnd_v1.20.exelmgrd.exeadskflex.exepid process 816 sg.tmp 2028 Service.exe 1944 End_v1.20.exe 744 End_v1.20.exe 2876 End_v1.2.exe 3332 End_v1.20.exe 1540 End_v1.20.exe 2300 lmgrd.exe 4796 adskflex.exe -
Processes:
resource yara_rule behavioral2/memory/4076-0-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/404-7-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/404-10-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral2/memory/4076-49-0x0000000000400000-0x00000000005DE000-memory.dmp upx C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe upx C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe upx behavioral2/memory/2028-109-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/2028-114-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/1944-118-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/744-127-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/744-130-0x0000000000400000-0x000000000057F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe upx behavioral2/memory/2876-144-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmp upx behavioral2/memory/1944-172-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/1540-174-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/3332-176-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/3332-170-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/1540-179-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral2/memory/2876-188-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmp upx -
Drops file in Program Files directory 17 IoCs
Processes:
xcopy.exexcopy.exexcopy.exexcopy.exeService.exexcopy.exexcopy.exexcopy.exepowershell.exedescription ioc process File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat Service.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic powershell.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe xcopy.exe File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe xcopy.exe File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat Service.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3576 sc.exe -
Processes:
powershell.exepowershell.exepid process 3516 powershell.exe 3336 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
End_v1.20.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 End_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom End_v1.20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 End_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom End_v1.20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 End_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags End_v1.20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 End_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags End_v1.20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1908 taskkill.exe 4208 taskkill.exe 532 taskkill.exe 2696 taskkill.exe 1364 taskkill.exe 2572 taskkill.exe 5112 taskkill.exe 732 taskkill.exe 5052 taskkill.exe 4084 taskkill.exe 1980 taskkill.exe 1000 taskkill.exe 2952 taskkill.exe 2024 taskkill.exe 432 taskkill.exe 1764 taskkill.exe 4512 taskkill.exe 1004 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 4280 regedit.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 8 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3892 PING.EXE 3732 PING.EXE 1908 PING.EXE 1380 PING.EXE 2788 PING.EXE 4688 PING.EXE 1608 PING.EXE 4036 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1316 powershell.exe 1316 powershell.exe 3516 powershell.exe 3516 powershell.exe 3516 powershell.exe 3336 powershell.exe 3336 powershell.exe 3336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exesg.tmptaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exemsiexec.exepowershell.exepowershell.exeEnd_v1.20.exeEnd_v1.20.exedescription pid process Token: SeBackupPrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeRestorePrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: 33 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeIncBasePriorityPrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeCreateGlobalPrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: 33 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeIncBasePriorityPrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: 33 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeIncBasePriorityPrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeBackupPrivilege 404 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeRestorePrivilege 404 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: 33 404 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeIncBasePriorityPrivilege 404 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: 33 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeIncBasePriorityPrivilege 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe Token: SeRestorePrivilege 816 sg.tmp Token: 35 816 sg.tmp Token: SeSecurityPrivilege 816 sg.tmp Token: SeSecurityPrivilege 816 sg.tmp Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 5052 taskkill.exe Token: SeDebugPrivilege 4084 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 2572 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeSecurityPrivilege 3240 msiexec.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeIncreaseQuotaPrivilege 3516 powershell.exe Token: SeSecurityPrivilege 3516 powershell.exe Token: SeTakeOwnershipPrivilege 3516 powershell.exe Token: SeLoadDriverPrivilege 3516 powershell.exe Token: SeSystemProfilePrivilege 3516 powershell.exe Token: SeSystemtimePrivilege 3516 powershell.exe Token: SeProfSingleProcessPrivilege 3516 powershell.exe Token: SeIncBasePriorityPrivilege 3516 powershell.exe Token: SeCreatePagefilePrivilege 3516 powershell.exe Token: SeBackupPrivilege 3516 powershell.exe Token: SeRestorePrivilege 3516 powershell.exe Token: SeShutdownPrivilege 3516 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeSystemEnvironmentPrivilege 3516 powershell.exe Token: SeRemoteShutdownPrivilege 3516 powershell.exe Token: SeUndockPrivilege 3516 powershell.exe Token: SeManageVolumePrivilege 3516 powershell.exe Token: 33 3516 powershell.exe Token: 34 3516 powershell.exe Token: 35 3516 powershell.exe Token: 36 3516 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeBackupPrivilege 1944 End_v1.20.exe Token: SeRestorePrivilege 1944 End_v1.20.exe Token: 33 1944 End_v1.20.exe Token: SeIncBasePriorityPrivilege 1944 End_v1.20.exe Token: SeCreateGlobalPrivilege 1944 End_v1.20.exe Token: 33 1944 End_v1.20.exe Token: SeIncBasePriorityPrivilege 1944 End_v1.20.exe Token: 33 1944 End_v1.20.exe Token: SeIncBasePriorityPrivilege 1944 End_v1.20.exe Token: SeBackupPrivilege 744 End_v1.20.exe Token: SeRestorePrivilege 744 End_v1.20.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
End_v1.2.exepid process 2876 End_v1.2.exe 2876 End_v1.2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.execmd.exenet.execmd.exedescription pid process target process PID 4076 wrote to memory of 3276 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe cmd.exe PID 4076 wrote to memory of 3276 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe cmd.exe PID 4076 wrote to memory of 404 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe PID 4076 wrote to memory of 404 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe PID 4076 wrote to memory of 404 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe PID 4076 wrote to memory of 816 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe sg.tmp PID 4076 wrote to memory of 816 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe sg.tmp PID 4076 wrote to memory of 816 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe sg.tmp PID 4076 wrote to memory of 1424 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe cmd.exe PID 4076 wrote to memory of 1424 4076 895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe cmd.exe PID 1424 wrote to memory of 2932 1424 cmd.exe chcp.com PID 1424 wrote to memory of 2932 1424 cmd.exe chcp.com PID 1424 wrote to memory of 2300 1424 cmd.exe mode.com PID 1424 wrote to memory of 2300 1424 cmd.exe mode.com PID 1424 wrote to memory of 3700 1424 cmd.exe net.exe PID 1424 wrote to memory of 3700 1424 cmd.exe net.exe PID 3700 wrote to memory of 3908 3700 net.exe net1.exe PID 3700 wrote to memory of 3908 3700 net.exe net1.exe PID 1424 wrote to memory of 1908 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1908 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1364 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1364 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 5052 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 5052 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 4084 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 4084 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 2024 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 2024 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 432 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 432 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1980 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1980 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 2572 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 2572 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1764 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1764 1424 cmd.exe taskkill.exe PID 1424 wrote to memory of 1316 1424 cmd.exe powershell.exe PID 1424 wrote to memory of 1316 1424 cmd.exe powershell.exe PID 1424 wrote to memory of 4280 1424 cmd.exe regedit.exe PID 1424 wrote to memory of 4280 1424 cmd.exe regedit.exe PID 1424 wrote to memory of 4076 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 4076 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 1380 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 1380 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2252 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2252 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 560 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 560 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2700 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2700 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 484 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 484 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 3616 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 3616 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2436 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2436 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2968 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 2968 1424 cmd.exe xcopy.exe PID 1424 wrote to memory of 4284 1424 cmd.exe cmd.exe PID 1424 wrote to memory of 4284 1424 cmd.exe cmd.exe PID 4284 wrote to memory of 3516 4284 cmd.exe powershell.exe PID 4284 wrote to memory of 3516 4284 cmd.exe powershell.exe PID 1424 wrote to memory of 3336 1424 cmd.exe powershell.exe PID 1424 wrote to memory of 3336 1424 cmd.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe"C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c set2⤵
-
C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exePECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=4909086 "C:\Users\Admin\AppData\Local\Temp\~2795631179969956540.tmp",,C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~4419705177631379299~\sg.tmp7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~2795631179969956540.tmp" -y -aoa -o"C:\AutodeskLicensePatcherInstaller"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 12543⤵
-
C:\Windows\system32\mode.commode con: cols=70 lines=153⤵
-
C:\Windows\system32\net.exenet stop AdskLicensingService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AdskLicensingService4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "AdskLicensingService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "AdskLicensingAgent.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "ADPClientService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "AdskLicensingAnalyticsClient.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "AdskLicensingInstHelper.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "lmgrd.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "adskflex.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "lmutil.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "lmtools.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\regedit.exeregedit.exe /s "C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg"3⤵
- Sets file execution options in registry
- Runs .reg file with regedit
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\" /Y /K /R /S /H /i3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i3⤵
-
C:\Windows\system32\xcopy.exexcopy "C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "(gc License.lic) -replace 'MAC', '72707479DC64' | Out-File -encoding ASCII License.lic"3⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc config "AdskLicensingService" Start= Auto3⤵
- Launches sc.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f3⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /XML C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml /tn "\Microsoft\Windows\Autodesk\Autodesk"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\net.exenet start AdskLicensingService3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start AdskLicensingService4⤵
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12545⤵
-
C:\Windows\SysWOW64\mode.commode con: cols=70 lines=125⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet stop AdskLicensingService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AdskLicensingService6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingService.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAgent.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "ADPClientService.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingAnalyticsClient.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "AdskLicensingInstHelper.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmgrd.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "adskflex.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmutil.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "lmtools.exe"5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\net.exenet start AdskLicensingService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start AdskLicensingService6⤵
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exelmgrd.exe -z -c License.lic5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exeadskflex.exe -T Rhatqedq 11.16 -1 -c ";License.lic;" -lmgrd_port 6978 -srv SJzutRxPDqCFxODOlXyZqWjcDBG8owfNfCWEDhmC28mIt7NhNPsKV5P07RTNy8o --lmgrd_start 664cb102 -vdrestart 06⤵
- Executes dropped EXE
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exeC:\Users\Admin\AppData\Local\Temp\End_v1.20.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c set4⤵
-
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exePECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~53508137209552201.tmp",,C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe"C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exePECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1663158539410536930.cmd"4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\~1663158539410536930.cmd"5⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exePECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmd"4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmd"5⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.batFilesize
7KB
MD55f9d018c9516c12cfe4585a4ba3a2dc9
SHA16e8349ff419df788eff4137ec3b2cb600af17fe7
SHA2561767e7a1d08cfe7b867b401f8fd682e22b4c511cdd2c7ef36aed7c1d3a3f4f2e
SHA512825e28015bcc00a9d335b144cadf5adf6cfc526801140bc7a6cbee8e9813b41bd6c49205404c376e678f8fcf83086ee3b65ec40728f469afcf109c059c9109c6
-
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exeFilesize
3.9MB
MD5abdcd215ed468f7282c196a8a9e473d7
SHA15702dc33da4bc58627bfc9e8b36fd8d82dba3dde
SHA256e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e
SHA5126fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367
-
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.licFilesize
302KB
MD5b95947dc716b46b8865d6ad72e348252
SHA17b9dfbfbb6798707ade19592db60e013f4dafaee
SHA256f9bea0f8ac46499daa2f7608e014ff42e1a811dfe9c373e8ca1e04f829c9f6eb
SHA512e17a3a80b2367883dff7383e90e7c23366e6da3a40d76bb6b4dcb1ded072fcded0c24a1e9290adc26f6ddada343ec2ecd7ff43954112283c7d9aac46c69920bd
-
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exeFilesize
2.7MB
MD5e974687b0135a662623056078a8e58e1
SHA1d448155e737c544e1cce77fc44098809004b93e2
SHA25682be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae
SHA5120c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6
-
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exeFilesize
1.1MB
MD5219f8cebef26f1373062357b2f4a8489
SHA1c77dfc5aa7b908533b6ecba8d8475dcc3545b416
SHA256cf025ecfb3556e334dde501b95485998de9e1b6a06ccbd56ffa1345d6b5a3973
SHA5122f9d50c51c74add14c4a64425e36b4a289da76e85aaf05bd8ef8c421cbaa6811a8f43a23513b40248fe71ae17301e8170625d3a72299a189ca5261d816d6b0ef
-
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dllFilesize
127KB
MD55c51cc926c76b23830d27a97445bf734
SHA151ebe83a748e2ddae9c20b0e1a66cbe42f846e7d
SHA256655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb
SHA512ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285
-
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dllFilesize
73KB
MD544774fafd716fa45c7a0ccb3b14d59a6
SHA19de0f9b49e53a63757a181b235a3e18f6585b75b
SHA2564739abff4da13a27f2421452007c9d2340bf4f9e9a601ef0ec9f1b9d64d1d365
SHA512983bd89429c6dbe9ff94f5e4727982e580a4c696a81dab581be701be1600d8eb8bfa00b0e86b4c99bfe4f76ac11ba3bec8fe1138f864668c7ca9e6096c1222fd
-
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exeFilesize
225KB
MD5cb5ea38fa0c7a9c053e4e8aa7bc17d76
SHA1d966e7ae2e68e4a488f0d71eb00dccb4d940f5a4
SHA2569ef7bfbb752b284e1b6d86d175f9573c1dfffe0309d3880f5bb7437bc8069db5
SHA512f9513530c76af03e4260d20be3f89db96534c017c9a2fe1c844315af55962c29c1c2655b6f7f1b56d7e6fd1081dab6aeb0e43b57649aeff0aba5bd79481e91ff
-
C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xmlFilesize
3KB
MD5dbfed3ff9dc6ca06e2cf0e2e63098d66
SHA1a698e52c166f5087ee60968a77261c7608e859c5
SHA256409a178ed9b9c0929fd9f3b8c3a58afd1b3370c53baf49b4956cf9a79f50d398
SHA5126eef1b9075a683a3eee30fbabed658efc970cdec6a234e60c2739440c7ee2d6a7e6b8f4d68bef9030014685d8a0b3d3d62dd62887e198b4675bd570482400414
-
C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.regFilesize
2KB
MD5201a1d31a58330dd6de3bb7f237b405c
SHA15cd58cf2c10bd5498ec228a4958a4efcfe5d07b1
SHA256a2867cb4a7671cbebe5c53bd355a93cfd7c8f6b1e050a8524dee9c5530134655
SHA51217367569d9358b3f4962fe25b54dba4e9e2f5a580d43d318bf30cd66181a8f9302f83fce453b211b86b3b6b079680dc487b90d42c80be20d05ff4014550a69b8
-
C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.jsonFilesize
408B
MD5ba3088f87edfcceb1e084c971db40601
SHA1ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f
SHA256e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651
SHA512e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.licFilesize
302KB
MD5d67b2500e768da5dd2ddad58c93473c5
SHA1246db670cdfec058566e46bd4fc4997f85362ff9
SHA2560b5c980d3a05ca360827c5b8ae40148a098b69a531685e4956d2b7e9a2c3523c
SHA512a6ebb58e090bbc9f7517a1257bb03371739d81c5243ca2095d3f465ecb03a9dd2c753e27b3c97cca4b7bea19fd130bd8a76794c8d5f6f978638f44afc143896b
-
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.batFilesize
1KB
MD5e13cd899ca7bcc58f33d0c4ed5eafe5b
SHA14cd518cc494384982cced62366ccc24b86ec093f
SHA25690a9a38071c84b2dcb49be6a3ddfc424932bcf8d8a4a66a173ab4030470cf7ac
SHA512c4dc5801d4f4867ded01f0f169b8c0ba197bcbe8e03b2f26d66510083cfa179d750b3c35f3b2e6d6d723a07062b8e0ca86dca1d85745178009c83fbffac47e3a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58f76a4c4be314cda548f254a80cb087a
SHA1f069a3f468b5d1e12a94244869feb6dcbe608269
SHA25660e9ce7951e44760c3631e48117d52f3d42beae69969d4c680ea25b6679ca2be
SHA5121179afd46224288a04f24bc3208fab1b88d2cd9bfa02dfb9c952bbba67053b64f776d384d86941c6a098954695379fc3f8ff440a4733ecfa6302334af77c02bf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bpicmqxy.q3k.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\~1663158539410536930.cmdFilesize
356B
MD58f570c384b39a4f918d7157e2e0a35f1
SHA1bd38286dd3162dab79ee02ee4490e8e973a1af4f
SHA256425c65d0f4f503046c42900138c4c4f6597f215533d845cf008c6dfde71f62e5
SHA512623b9eb35e1ac23468f0721de0e3b43191bd1ce1e3add3e0e1c111f304a78614f57451a912036adfc4cc9b81b63fa3be8d5564e6fce3d7c1b857a0fb908cd6f1
-
C:\Users\Admin\AppData\Local\Temp\~2795631179969956540.tmpFilesize
4.7MB
MD52cd2e801b30c7a361891122d117e2b81
SHA15a039cf40ceacdee85cc62b83be305cff64d906f
SHA2564377a01c1e30f102dac5ff4f304190f583b6fba39533752e848b794dcb9bbc23
SHA5120c14cbb783e05df02c8625b140b0dafbea1fad84baf19862efc4a11ee61791fc41f9e41a56525b124411fc220aeae9132e3662c897cf84e7dc4dd9bc727a9c8d
-
C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exeFilesize
3.5MB
MD5939261459f9c29343dd1d6bd51f3709e
SHA1b1110b91465ebc137402a3c30842b0e87e870365
SHA256b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028
SHA512697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db
-
C:\Users\Admin\AppData\Local\Temp\~4419705177631379299~\sg.tmpFilesize
715KB
MD57c4718943bd3f66ebdb47ccca72c7b1e
SHA1f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA2564cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516
-
C:\Users\Admin\AppData\Local\Temp\~53508137209552201.tmpFilesize
3.1MB
MD580ab2f749a3753866a20b5b87375fe43
SHA1bac069abf966cf486687845c74eed0cf7aee036e
SHA2568f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe
SHA5122c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30
-
C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmdFilesize
325B
MD5423341eb8d0c3d77d57f41479b48c90a
SHA118b93d144e4aeca5c35e84b4691657ee32613934
SHA2564f9299efe5938f05a6a779d720c5f242b98168ec54aaf02677911e8a9891ba9e
SHA512d2460c77e5037ddb43de849bd2a167fb2eb4ac6dc638b07826541ea198855467c9285aabfd4660697db8c7a2db658ac7ad7bf0ba1cdf06e17556b57865487ca0
-
C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmdFilesize
373B
MD56e43fb5214c12a02b1577373c1390f3a
SHA1b3a78242d14e58a953e40127dbe07b17fa627cdd
SHA25619b08f84a90146fa0000890ead7f8e405a26afcf615cfb7d604d040fc75b9c9a
SHA51222729505c2edc06fe317274227cdcf75e8cf2622a131048ad6dec8ea8ce9b3038d172b643cb14334a40add3ee3e2e077202b7eafc6024bf9487c9aed33d6dc2c
-
C:\Users\Admin\AppData\Local\Temp\~~1413342797345173631.tmpFilesize
143B
MD525f387629ffbf0bbada23ce1ac1ff26e
SHA16a298921bfba0538cbd7efc34adba482cacd2f42
SHA2565bcec7358d3ce958532585be14c61b2326fc7e43b27958b067501975e0fd8b0c
SHA5123e8c8ebe5a0622b016c85f97acef6143d0d6350b51206cc4827085c91bd853c770bf8c7488918914f436c780742c5598c379758515c5740b457dadc8e1f6aa02
-
C:\Users\Admin\AppData\Local\Temp\~~4872120815816500638.tmpFilesize
139B
MD5dcd555533c93c6c9d14386151f1943dc
SHA11df53102e649acc46cf002db9f06004ebb1e8e07
SHA25683355b760f268dbdba5fbeb8178409b8231acb38ad0c8b06f150d5a1573093dd
SHA5120046837db9b7f0bc1aeee60919072423fc01741a711fe68fa5bcb0407fad6a7a20e91a084da2492bbd288a747011c1af749d1d98e1e282d60c099b152b24354c
-
memory/404-10-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/404-7-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/744-130-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/744-127-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/1316-50-0x000001A5BF7F0000-0x000001A5BF812000-memory.dmpFilesize
136KB
-
memory/1540-179-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/1540-174-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/1944-118-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/1944-172-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/2028-114-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2028-109-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2876-144-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmpFilesize
18.2MB
-
memory/2876-188-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmpFilesize
18.2MB
-
memory/3332-170-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/3332-176-0x0000000000400000-0x000000000057F000-memory.dmpFilesize
1.5MB
-
memory/4076-49-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/4076-0-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB