895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Size

5.8MB
MD5

51690fe04f14ae35d4347876fa1e0014
SHA1

12f92ca4df31967a80102feb57764ee3f0149111
SHA256

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706
SHA512

52b07d197130fd87cfc84b2259d1fa14d4301fa399932da144a61ad7d495ae8c18abf1a118fca9baf76e5f749940ca58d77fd33223498683eac91cb5d97c7d22
SSDEEP

98304:unnicbdavh/oXUE+yZExTdVY7yhHD0uCqH5peY3+cVe1+2CjYnnnax5LCghRO6EV:4ARsdjZEve2hHDDrBg1+2dnn8RX23H

Score

8^/10

evasion execution persistence upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

456 netsh.exe
4460 netsh.exe
4008 netsh.exe
1000 netsh.exe

pid	process
456	netsh.exe
4460	netsh.exe
4008	netsh.exe
1000	netsh.exe

Sets file execution options in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe\Debugger = "Blocked"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe\Debugger = "Blocked"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskUpdateCheck.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdskInstallerUpdateCheck.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LogAnalyzer.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdSSO.exe\Debugger = "Blocked"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenuineService.exe\Debugger = "Blocked"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Service.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Service.exe

Executes dropped EXE 9 IoCs

Processes:

sg.tmpService.exeEnd_v1.20.exeEnd_v1.20.exeEnd_v1.2.exeEnd_v1.20.exeEnd_v1.20.exelmgrd.exeadskflex.exe

pid process

816 sg.tmp
2028 Service.exe
1944 End_v1.20.exe
744 End_v1.20.exe
2876 End_v1.2.exe
3332 End_v1.20.exe
1540 End_v1.20.exe
2300 lmgrd.exe
4796 adskflex.exe

pid	process
816	sg.tmp
2028	Service.exe
1944	End_v1.20.exe
744	End_v1.20.exe
2876	End_v1.2.exe
3332	End_v1.20.exe
1540	End_v1.20.exe
2300	lmgrd.exe
4796	adskflex.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4076-0-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/404-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/404-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4076-49-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe	upx
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe	upx
behavioral2/memory/2028-109-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/2028-114-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/1944-118-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/744-127-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/744-130-0x0000000000400000-0x000000000057F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe	upx
behavioral2/memory/2876-144-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmp	upx
behavioral2/memory/1944-172-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/1540-174-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/3332-176-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/3332-170-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/1540-179-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/2876-188-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exeService.exexcopy.exexcopy.exexcopy.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\netapi32.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat	Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	powershell.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat	Service.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3576 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3516 powershell.exe
3336 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3576	sc.exe

pid	process
3516	powershell.exe
3336	powershell.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

End_v1.20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	End_v1.20.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4036 schtasks.exe

pid	process
4036	schtasks.exe

Kills process with taskkill 18 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1908	taskkill.exe
4208	taskkill.exe
532	taskkill.exe
2696	taskkill.exe
1364	taskkill.exe
2572	taskkill.exe
5112	taskkill.exe
732	taskkill.exe
5052	taskkill.exe
4084	taskkill.exe
1980	taskkill.exe
1000	taskkill.exe
2952	taskkill.exe
2024	taskkill.exe
432	taskkill.exe
1764	taskkill.exe
4512	taskkill.exe
1004	taskkill.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4280 regedit.exe
Runs net.exe
Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3892 PING.EXE
3732 PING.EXE
1908 PING.EXE
1380 PING.EXE
2788 PING.EXE
4688 PING.EXE
1608 PING.EXE
4036 PING.EXE

pid	process
4280	regedit.exe

pid	process
3892	PING.EXE
3732	PING.EXE
1908	PING.EXE
1380	PING.EXE
2788	PING.EXE
4688	PING.EXE
1608	PING.EXE
4036	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1316	powershell.exe
1316	powershell.exe
3516	powershell.exe
3516	powershell.exe
3516	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exesg.tmptaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exemsiexec.exepowershell.exepowershell.exeEnd_v1.20.exeEnd_v1.20.exe

description	pid	process
Token: SeBackupPrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeRestorePrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeCreateGlobalPrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeBackupPrivilege	404	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeRestorePrivilege	404	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	404	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	404	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: 33	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeIncBasePriorityPrivilege	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
Token: SeRestorePrivilege	816	sg.tmp
Token: 35	816	sg.tmp
Token: SeSecurityPrivilege	816	sg.tmp
Token: SeSecurityPrivilege	816	sg.tmp
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeSecurityPrivilege	3240	msiexec.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeIncreaseQuotaPrivilege	3516	powershell.exe
Token: SeSecurityPrivilege	3516	powershell.exe
Token: SeTakeOwnershipPrivilege	3516	powershell.exe
Token: SeLoadDriverPrivilege	3516	powershell.exe
Token: SeSystemProfilePrivilege	3516	powershell.exe
Token: SeSystemtimePrivilege	3516	powershell.exe
Token: SeProfSingleProcessPrivilege	3516	powershell.exe
Token: SeIncBasePriorityPrivilege	3516	powershell.exe
Token: SeCreatePagefilePrivilege	3516	powershell.exe
Token: SeBackupPrivilege	3516	powershell.exe
Token: SeRestorePrivilege	3516	powershell.exe
Token: SeShutdownPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeSystemEnvironmentPrivilege	3516	powershell.exe
Token: SeRemoteShutdownPrivilege	3516	powershell.exe
Token: SeUndockPrivilege	3516	powershell.exe
Token: SeManageVolumePrivilege	3516	powershell.exe
Token: 33	3516	powershell.exe
Token: 34	3516	powershell.exe
Token: 35	3516	powershell.exe
Token: 36	3516	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeBackupPrivilege	1944	End_v1.20.exe
Token: SeRestorePrivilege	1944	End_v1.20.exe
Token: 33	1944	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	1944	End_v1.20.exe
Token: SeCreateGlobalPrivilege	1944	End_v1.20.exe
Token: 33	1944	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	1944	End_v1.20.exe
Token: 33	1944	End_v1.20.exe
Token: SeIncBasePriorityPrivilege	1944	End_v1.20.exe
Token: SeBackupPrivilege	744	End_v1.20.exe
Token: SeRestorePrivilege	744	End_v1.20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

End_v1.2.exe

pid process

2876 End_v1.2.exe
2876 End_v1.2.exe

pid	process
2876	End_v1.2.exe
2876	End_v1.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.execmd.exenet.execmd.exe

description	pid	process	target process
PID 4076 wrote to memory of 3276	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 4076 wrote to memory of 3276	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 4076 wrote to memory of 404	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 4076 wrote to memory of 404	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 4076 wrote to memory of 404	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PID 4076 wrote to memory of 816	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 4076 wrote to memory of 816	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 4076 wrote to memory of 816	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	sg.tmp
PID 4076 wrote to memory of 1424	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 4076 wrote to memory of 1424	4076	895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe	cmd.exe
PID 1424 wrote to memory of 2932	1424	cmd.exe	chcp.com
PID 1424 wrote to memory of 2932	1424	cmd.exe	chcp.com
PID 1424 wrote to memory of 2300	1424	cmd.exe	mode.com
PID 1424 wrote to memory of 2300	1424	cmd.exe	mode.com
PID 1424 wrote to memory of 3700	1424	cmd.exe	net.exe
PID 1424 wrote to memory of 3700	1424	cmd.exe	net.exe
PID 3700 wrote to memory of 3908	3700	net.exe	net1.exe
PID 3700 wrote to memory of 3908	3700	net.exe	net1.exe
PID 1424 wrote to memory of 1908	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1908	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1364	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1364	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 5052	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 5052	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 4084	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 4084	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 2024	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 2024	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 432	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 432	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1980	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1980	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 2572	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 2572	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1764	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1764	1424	cmd.exe	taskkill.exe
PID 1424 wrote to memory of 1316	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 1316	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 4280	1424	cmd.exe	regedit.exe
PID 1424 wrote to memory of 4280	1424	cmd.exe	regedit.exe
PID 1424 wrote to memory of 4076	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 4076	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 1380	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 1380	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2252	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2252	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 560	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 560	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2700	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2700	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 484	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 484	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 3616	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 3616	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2436	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2436	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2968	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 2968	1424	cmd.exe	xcopy.exe
PID 1424 wrote to memory of 4284	1424	cmd.exe	cmd.exe
PID 1424 wrote to memory of 4284	1424	cmd.exe	cmd.exe
PID 4284 wrote to memory of 3516	4284	cmd.exe	powershell.exe
PID 4284 wrote to memory of 3516	4284	cmd.exe	powershell.exe
PID 1424 wrote to memory of 3336	1424	cmd.exe	powershell.exe
PID 1424 wrote to memory of 3336	1424	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
"C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c set
2⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=4909086 "C:\Users\Admin\AppData\Local\Temp\~2795631179969956540.tmp",,C:\Users\Admin\AppData\Local\Temp\895470e4a5d537314fc2da5b3d5033fecae8d92a106f5cef0e1cf2adaa730706.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\AppData\Local\Temp\~4419705177631379299~\sg.tmp
7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~2795631179969956540.tmp" -y -aoa -o"C:\AutodeskLicensePatcherInstaller"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\chcp.com
chcp 1254
3⤵
PID:2932

C:\Windows\system32\mode.com
mode con: cols=70 lines=15
3⤵
PID:2300

C:\Windows\system32\net.exe
net stop AdskLicensingService
3⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
4⤵
PID:3908

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmgrd.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\taskkill.exe
taskkill /F /IM "adskflex.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmutil.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\taskkill.exe
taskkill /F /IM "lmtools.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\regedit.exe
regedit.exe /s "C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg"
3⤵
- Sets file execution options in registry
- Runs .reg file with regedit
PID:4280

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:4076

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:1380

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:2252

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:560

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:2700

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:484

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\" /Y /K /R /S /H /i
3⤵
- Drops file in Program Files directory
PID:3616

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i
3⤵
PID:2436

C:\Windows\system32\xcopy.exe
xcopy "C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i
3⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
3⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "(gc License.lic) -replace 'MAC', '72707479DC64' | Out-File -encoding ASCII License.lic"
3⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\sc.exe
sc config "AdskLicensingService" Start= Auto
3⤵
- Launches sc.exe
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
3⤵
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /XML C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml /tn "\Microsoft\Windows\Autodesk\Autodesk"
3⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
3⤵
- Modifies Windows Firewall
PID:4460

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
3⤵
- Modifies Windows Firewall
PID:4008

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
3⤵
- Modifies Windows Firewall
PID:1000

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
3⤵
- Modifies Windows Firewall
PID:456

C:\Windows\system32\net.exe
net start AdskLicensingService
3⤵
PID:3748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
4⤵
PID:2700

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat" "
4⤵
PID:396

C:\Windows\SysWOW64\chcp.com
chcp 1254
5⤵
PID:4560

C:\Windows\SysWOW64\mode.com
mode con: cols=70 lines=12
5⤵
PID:3760

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:1908

C:\Windows\SysWOW64\net.exe
net stop AdskLicensingService
5⤵
PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdskLicensingService
6⤵
PID:4280

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingService.exe"
5⤵
- Kills process with taskkill
PID:1000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingAgent.exe"
5⤵
- Kills process with taskkill
PID:4512

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "ADPClientService.exe"
5⤵
- Kills process with taskkill
PID:4208

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
5⤵
- Kills process with taskkill
PID:532

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "AdskLicensingInstHelper.exe"
5⤵
- Kills process with taskkill
PID:5112

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmgrd.exe"
5⤵
- Kills process with taskkill
PID:1004

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "adskflex.exe"
5⤵
- Kills process with taskkill
PID:2952

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmutil.exe"
5⤵
- Kills process with taskkill
PID:732

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "lmtools.exe"
5⤵
- Kills process with taskkill
PID:2696

C:\Windows\SysWOW64\net.exe
net start AdskLicensingService
5⤵
PID:2168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AdskLicensingService
6⤵
PID:4524

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
lmgrd.exe -z -c License.lic
5⤵
- Executes dropped EXE
PID:2300

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
adskflex.exe -T Rhatqedq 11.16 -1 -c ";License.lic;" -lmgrd_port 6978 -srv SJzutRxPDqCFxODOlXyZqWjcDBG8owfNfCWEDhmC28mIt7NhNPsKV5P07RTNy8o --lmgrd_start 664cb102 -vdrestart 0
6⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:3732

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c set
4⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~53508137209552201.tmp",,C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1663158539410536930.cmd"
4⤵
- Executes dropped EXE
PID:3332

C:\Windows\SYSTEM32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~1663158539410536930.cmd"
5⤵
PID:960

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:1380

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:4688

C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmd"
4⤵
- Executes dropped EXE
PID:1540

C:\Windows\SYSTEM32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmd"
5⤵
PID:3352

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:2788

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:1608

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:4036

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:3892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat
Filesize
7KB

MD5
5f9d018c9516c12cfe4585a4ba3a2dc9

SHA1
6e8349ff419df788eff4137ec3b2cb600af17fe7

SHA256
1767e7a1d08cfe7b867b401f8fd682e22b4c511cdd2c7ef36aed7c1d3a3f4f2e

SHA512
825e28015bcc00a9d335b144cadf5adf6cfc526801140bc7a6cbee8e9813b41bd6c49205404c376e678f8fcf83086ee3b65ec40728f469afcf109c059c9109c6

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\End_v1.20.exe
Filesize
3.9MB

MD5
abdcd215ed468f7282c196a8a9e473d7

SHA1
5702dc33da4bc58627bfc9e8b36fd8d82dba3dde

SHA256
e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e

SHA512
6fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic
Filesize
302KB

MD5
b95947dc716b46b8865d6ad72e348252

SHA1
7b9dfbfbb6798707ade19592db60e013f4dafaee

SHA256
f9bea0f8ac46499daa2f7608e014ff42e1a811dfe9c373e8ca1e04f829c9f6eb

SHA512
e17a3a80b2367883dff7383e90e7c23366e6da3a40d76bb6b4dcb1ded072fcded0c24a1e9290adc26f6ddada343ec2ecd7ff43954112283c7d9aac46c69920bd

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe
Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe
Filesize
1.1MB

MD5
219f8cebef26f1373062357b2f4a8489

SHA1
c77dfc5aa7b908533b6ecba8d8475dcc3545b416

SHA256
cf025ecfb3556e334dde501b95485998de9e1b6a06ccbd56ffa1345d6b5a3973

SHA512
2f9d50c51c74add14c4a64425e36b4a289da76e85aaf05bd8ef8c421cbaa6811a8f43a23513b40248fe71ae17301e8170625d3a72299a189ca5261d816d6b0ef

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll
Filesize
127KB

MD5
5c51cc926c76b23830d27a97445bf734

SHA1
51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d

SHA256
655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb

SHA512
ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll
Filesize
73KB

MD5
44774fafd716fa45c7a0ccb3b14d59a6

SHA1
9de0f9b49e53a63757a181b235a3e18f6585b75b

SHA256
4739abff4da13a27f2421452007c9d2340bf4f9e9a601ef0ec9f1b9d64d1d365

SHA512
983bd89429c6dbe9ff94f5e4727982e580a4c696a81dab581be701be1600d8eb8bfa00b0e86b4c99bfe4f76ac11ba3bec8fe1138f864668c7ca9e6096c1222fd

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe
Filesize
225KB

MD5
cb5ea38fa0c7a9c053e4e8aa7bc17d76

SHA1
d966e7ae2e68e4a488f0d71eb00dccb4d940f5a4

SHA256
9ef7bfbb752b284e1b6d86d175f9573c1dfffe0309d3880f5bb7437bc8069db5

SHA512
f9513530c76af03e4260d20be3f89db96534c017c9a2fe1c844315af55962c29c1c2655b6f7f1b56d7e6fd1081dab6aeb0e43b57649aeff0aba5bd79481e91ff

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml
Filesize
3KB

MD5
dbfed3ff9dc6ca06e2cf0e2e63098d66

SHA1
a698e52c166f5087ee60968a77261c7608e859c5

SHA256
409a178ed9b9c0929fd9f3b8c3a58afd1b3370c53baf49b4956cf9a79f50d398

SHA512
6eef1b9075a683a3eee30fbabed658efc970cdec6a234e60c2739440c7ee2d6a7e6b8f4d68bef9030014685d8a0b3d3d62dd62887e198b4675bd570482400414

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg
Filesize
2KB

MD5
201a1d31a58330dd6de3bb7f237b405c

SHA1
5cd58cf2c10bd5498ec228a4958a4efcfe5d07b1

SHA256
a2867cb4a7671cbebe5c53bd355a93cfd7c8f6b1e050a8524dee9c5530134655

SHA512
17367569d9358b3f4962fe25b54dba4e9e2f5a580d43d318bf30cd66181a8f9302f83fce453b211b86b3b6b079680dc487b90d42c80be20d05ff4014550a69b8

Download Submit
C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json
Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic
Filesize
302KB

MD5
d67b2500e768da5dd2ddad58c93473c5

SHA1
246db670cdfec058566e46bd4fc4997f85362ff9

SHA256
0b5c980d3a05ca360827c5b8ae40148a098b69a531685e4956d2b7e9a2c3523c

SHA512
a6ebb58e090bbc9f7517a1257bb03371739d81c5243ca2095d3f465ecb03a9dd2c753e27b3c97cca4b7bea19fd130bd8a76794c8d5f6f978638f44afc143896b

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat
Filesize
1KB

MD5
e13cd899ca7bcc58f33d0c4ed5eafe5b

SHA1
4cd518cc494384982cced62366ccc24b86ec093f

SHA256
90a9a38071c84b2dcb49be6a3ddfc424932bcf8d8a4a66a173ab4030470cf7ac

SHA512
c4dc5801d4f4867ded01f0f169b8c0ba197bcbe8e03b2f26d66510083cfa179d750b3c35f3b2e6d6d723a07062b8e0ca86dca1d85745178009c83fbffac47e3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8f76a4c4be314cda548f254a80cb087a

SHA1
f069a3f468b5d1e12a94244869feb6dcbe608269

SHA256
60e9ce7951e44760c3631e48117d52f3d42beae69969d4c680ea25b6679ca2be

SHA512
1179afd46224288a04f24bc3208fab1b88d2cd9bfa02dfb9c952bbba67053b64f776d384d86941c6a098954695379fc3f8ff440a4733ecfa6302334af77c02bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bpicmqxy.q3k.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1663158539410536930.cmd
Filesize
356B

MD5
8f570c384b39a4f918d7157e2e0a35f1

SHA1
bd38286dd3162dab79ee02ee4490e8e973a1af4f

SHA256
425c65d0f4f503046c42900138c4c4f6597f215533d845cf008c6dfde71f62e5

SHA512
623b9eb35e1ac23468f0721de0e3b43191bd1ce1e3add3e0e1c111f304a78614f57451a912036adfc4cc9b81b63fa3be8d5564e6fce3d7c1b857a0fb908cd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2795631179969956540.tmp
Filesize
4.7MB

MD5
2cd2e801b30c7a361891122d117e2b81

SHA1
5a039cf40ceacdee85cc62b83be305cff64d906f

SHA256
4377a01c1e30f102dac5ff4f304190f583b6fba39533752e848b794dcb9bbc23

SHA512
0c14cbb783e05df02c8625b140b0dafbea1fad84baf19862efc4a11ee61791fc41f9e41a56525b124411fc220aeae9132e3662c897cf84e7dc4dd9bc727a9c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3041436098085507127\End_v1.2.exe
Filesize
3.5MB

MD5
939261459f9c29343dd1d6bd51f3709e

SHA1
b1110b91465ebc137402a3c30842b0e87e870365

SHA256
b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028

SHA512
697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4419705177631379299~\sg.tmp
Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~53508137209552201.tmp
Filesize
3.1MB

MD5
80ab2f749a3753866a20b5b87375fe43

SHA1
bac069abf966cf486687845c74eed0cf7aee036e

SHA256
8f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe

SHA512
2c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmd
Filesize
325B

MD5
423341eb8d0c3d77d57f41479b48c90a

SHA1
18b93d144e4aeca5c35e84b4691657ee32613934

SHA256
4f9299efe5938f05a6a779d720c5f242b98168ec54aaf02677911e8a9891ba9e

SHA512
d2460c77e5037ddb43de849bd2a167fb2eb4ac6dc638b07826541ea198855467c9285aabfd4660697db8c7a2db658ac7ad7bf0ba1cdf06e17556b57865487ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6426402704456396850.cmd
Filesize
373B

MD5
6e43fb5214c12a02b1577373c1390f3a

SHA1
b3a78242d14e58a953e40127dbe07b17fa627cdd

SHA256
19b08f84a90146fa0000890ead7f8e405a26afcf615cfb7d604d040fc75b9c9a

SHA512
22729505c2edc06fe317274227cdcf75e8cf2622a131048ad6dec8ea8ce9b3038d172b643cb14334a40add3ee3e2e077202b7eafc6024bf9487c9aed33d6dc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~1413342797345173631.tmp
Filesize
143B

MD5
25f387629ffbf0bbada23ce1ac1ff26e

SHA1
6a298921bfba0538cbd7efc34adba482cacd2f42

SHA256
5bcec7358d3ce958532585be14c61b2326fc7e43b27958b067501975e0fd8b0c

SHA512
3e8c8ebe5a0622b016c85f97acef6143d0d6350b51206cc4827085c91bd853c770bf8c7488918914f436c780742c5598c379758515c5740b457dadc8e1f6aa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~4872120815816500638.tmp
Filesize
139B

MD5
dcd555533c93c6c9d14386151f1943dc

SHA1
1df53102e649acc46cf002db9f06004ebb1e8e07

SHA256
83355b760f268dbdba5fbeb8178409b8231acb38ad0c8b06f150d5a1573093dd

SHA512
0046837db9b7f0bc1aeee60919072423fc01741a711fe68fa5bcb0407fad6a7a20e91a084da2492bbd288a747011c1af749d1d98e1e282d60c099b152b24354c

Download Submit
memory/404-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/404-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/744-130-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/744-127-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1316-50-0x000001A5BF7F0000-0x000001A5BF812000-memory.dmp

Filesize
136KB

Download
memory/1540-179-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1540-174-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1944-118-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1944-172-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2028-114-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2028-109-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2876-144-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmp

Filesize
18.2MB

Download
memory/2876-188-0x00007FF7DD440000-0x00007FF7DE67F000-memory.dmp

Filesize
18.2MB

Download
memory/3332-170-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/3332-176-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4076-49-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4076-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download