82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad

Analysis

max time kernel
143s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Size

6.6MB
MD5

6ec1efa85155caab6391b7e0c8327333
SHA1

0eb2367eef8e9e811faa2dbb244a950d74becf3d
SHA256

82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad
SHA512

bbf62a722de0fbd243b73c847a20db8f05574525a93ac73138230522dc9a643fd0a86721fab3fa3fbee2696c0a3a3a551870c7c9bc0d82a8d26eeb8ed47f3a86
SSDEEP

196608:NLljZEve2hHDDrBg1+2dnn8RX23Ggta2j:NVZsek1g1+kneXWj

Score

8^/10

discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2548	netsh.exe
3044	netsh.exe
2084	netsh.exe
2948	netsh.exe
2644	netsh.exe
2820	netsh.exe
2940	netsh.exe
2968	netsh.exe
2240	netsh.exe
2836	netsh.exe
2440	netsh.exe
1088	netsh.exe
2612	netsh.exe
2972	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Autodesk License AutoConfig\ImagePath = "C:\\Program Files (x86)\\Common Files\\Autodesk Shared\\Network License Manager\\lmgrd.exe"	regedit.exe

Executes dropped EXE 12 IoCs

pid	Process
2892	sg.tmp
800	Start Service.exe
2688	Start Service.exe
2412	sg.tmp
824	lmgrd.exe
1560	End_v1.20.exe
1356	Start Service.exe
2112	End_v1.20.exe
1576	End_v1.2.exe
1180	Process not Found
1756	End_v1.20.exe
1676	End_v1.20.exe

Loads dropped DLL 9 IoCs

pid	Process
1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
800	Start Service.exe
800	Start Service.exe
2572	cmd.exe
800	Start Service.exe
1560	End_v1.20.exe
1560	End_v1.20.exe
1560	End_v1.20.exe
1560	End_v1.20.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-0-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1072-8-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1072-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1968-58-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/files/0x0007000000018722-66.dat	upx
behavioral1/files/0x000500000001961b-97.dat	upx
behavioral1/memory/800-99-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2688-109-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2688-111-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1560-141-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/800-158-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2112-172-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1356-169-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1356-162-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2112-175-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/files/0x0007000000019260-186.dat	upx
behavioral1/memory/1576-191-0x000000013F2F0000-0x000000014052F000-memory.dmp	upx
behavioral1/memory/1756-233-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1560-231-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1676-229-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1756-228-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1676-237-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral1/memory/1576-239-0x000000013F2F0000-0x000000014052F000-memory.dmp	upx
behavioral1/memory/1576-242-0x000000013F2F0000-0x000000014052F000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe
1668	powershell.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	powershell.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Start Service.bat	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Start Service.bat	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3036	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 42 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start Service.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2732	PING.EXE
2664	PING.EXE
756	PING.EXE
2856	PING.EXE
2920	PING.EXE
2864	PING.EXE

Kills process with taskkill 9 IoCs

evasion

pid	Process
1784	taskkill.exe
1892	taskkill.exe
480	taskkill.exe
2412	taskkill.exe
1004	taskkill.exe
2368	taskkill.exe
2356	taskkill.exe
1980	taskkill.exe
2224	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2796	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2664	PING.EXE
756	PING.EXE
2856	PING.EXE
2920	PING.EXE
2864	PING.EXE
2732	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1492	msiexec.exe
800	Start Service.exe
1560	End_v1.20.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1632	powershell.exe
2592	powershell.exe
1668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeRestorePrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeCreateGlobalPrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeBackupPrivilege	1072	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeRestorePrivilege	1072	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	1072	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	1072	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeRestorePrivilege	2892	sg.tmp
Token: 35	2892	sg.tmp
Token: SeSecurityPrivilege	2892	sg.tmp
Token: SeSecurityPrivilege	2892	sg.tmp
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeShutdownPrivilege	1492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	1492	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1492	msiexec.exe
Token: SeLockMemoryPrivilege	1492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1492	msiexec.exe
Token: SeMachineAccountPrivilege	1492	msiexec.exe
Token: SeTcbPrivilege	1492	msiexec.exe
Token: SeSecurityPrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeLoadDriverPrivilege	1492	msiexec.exe
Token: SeSystemProfilePrivilege	1492	msiexec.exe
Token: SeSystemtimePrivilege	1492	msiexec.exe
Token: SeProfSingleProcessPrivilege	1492	msiexec.exe
Token: SeIncBasePriorityPrivilege	1492	msiexec.exe
Token: SeCreatePagefilePrivilege	1492	msiexec.exe
Token: SeCreatePermanentPrivilege	1492	msiexec.exe
Token: SeBackupPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeShutdownPrivilege	1492	msiexec.exe
Token: SeDebugPrivilege	1492	msiexec.exe
Token: SeAuditPrivilege	1492	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1492	msiexec.exe
Token: SeChangeNotifyPrivilege	1492	msiexec.exe
Token: SeRemoteShutdownPrivilege	1492	msiexec.exe
Token: SeUndockPrivilege	1492	msiexec.exe
Token: SeSyncAgentPrivilege	1492	msiexec.exe
Token: SeEnableDelegationPrivilege	1492	msiexec.exe
Token: SeManageVolumePrivilege	1492	msiexec.exe
Token: SeImpersonatePrivilege	1492	msiexec.exe
Token: SeCreateGlobalPrivilege	1492	msiexec.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1576	End_v1.2.exe
1576	End_v1.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1792	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	30
PID 1968 wrote to memory of 1792	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	30
PID 1968 wrote to memory of 1792	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	30
PID 1968 wrote to memory of 1792	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	30
PID 1968 wrote to memory of 1072	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	32
PID 1968 wrote to memory of 1072	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	32
PID 1968 wrote to memory of 1072	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	32
PID 1968 wrote to memory of 1072	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	32
PID 1968 wrote to memory of 2892	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	33
PID 1968 wrote to memory of 2892	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	33
PID 1968 wrote to memory of 2892	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	33
PID 1968 wrote to memory of 2892	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	33
PID 1968 wrote to memory of 2712	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	35
PID 1968 wrote to memory of 2712	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	35
PID 1968 wrote to memory of 2712	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	35
PID 1968 wrote to memory of 2712	1968	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	35
PID 2712 wrote to memory of 2620	2712	cmd.exe	37
PID 2712 wrote to memory of 2620	2712	cmd.exe	37
PID 2712 wrote to memory of 2620	2712	cmd.exe	37
PID 2712 wrote to memory of 2984	2712	cmd.exe	38
PID 2712 wrote to memory of 2984	2712	cmd.exe	38
PID 2712 wrote to memory of 2984	2712	cmd.exe	38
PID 2712 wrote to memory of 2848	2712	cmd.exe	39
PID 2712 wrote to memory of 2848	2712	cmd.exe	39
PID 2712 wrote to memory of 2848	2712	cmd.exe	39
PID 2712 wrote to memory of 2760	2712	cmd.exe	40
PID 2712 wrote to memory of 2760	2712	cmd.exe	40
PID 2712 wrote to memory of 2760	2712	cmd.exe	40
PID 2712 wrote to memory of 2644	2712	cmd.exe	41
PID 2712 wrote to memory of 2644	2712	cmd.exe	41
PID 2712 wrote to memory of 2644	2712	cmd.exe	41
PID 2712 wrote to memory of 2612	2712	cmd.exe	42
PID 2712 wrote to memory of 2612	2712	cmd.exe	42
PID 2712 wrote to memory of 2612	2712	cmd.exe	42
PID 2712 wrote to memory of 2820	2712	cmd.exe	43
PID 2712 wrote to memory of 2820	2712	cmd.exe	43
PID 2712 wrote to memory of 2820	2712	cmd.exe	43
PID 2712 wrote to memory of 2968	2712	cmd.exe	44
PID 2712 wrote to memory of 2968	2712	cmd.exe	44
PID 2712 wrote to memory of 2968	2712	cmd.exe	44
PID 2712 wrote to memory of 2240	2712	cmd.exe	45
PID 2712 wrote to memory of 2240	2712	cmd.exe	45
PID 2712 wrote to memory of 2240	2712	cmd.exe	45
PID 2712 wrote to memory of 2836	2712	cmd.exe	46
PID 2712 wrote to memory of 2836	2712	cmd.exe	46
PID 2712 wrote to memory of 2836	2712	cmd.exe	46
PID 2712 wrote to memory of 2440	2712	cmd.exe	47
PID 2712 wrote to memory of 2440	2712	cmd.exe	47
PID 2712 wrote to memory of 2440	2712	cmd.exe	47
PID 2712 wrote to memory of 2972	2712	cmd.exe	48
PID 2712 wrote to memory of 2972	2712	cmd.exe	48
PID 2712 wrote to memory of 2972	2712	cmd.exe	48
PID 2712 wrote to memory of 2548	2712	cmd.exe	49
PID 2712 wrote to memory of 2548	2712	cmd.exe	49
PID 2712 wrote to memory of 2548	2712	cmd.exe	49
PID 2712 wrote to memory of 1088	2712	cmd.exe	50
PID 2712 wrote to memory of 1088	2712	cmd.exe	50
PID 2712 wrote to memory of 1088	2712	cmd.exe	50
PID 2712 wrote to memory of 1268	2712	cmd.exe	51
PID 2712 wrote to memory of 1268	2712	cmd.exe	51
PID 2712 wrote to memory of 1268	2712	cmd.exe	51
PID 1268 wrote to memory of 1500	1268	net.exe	52
PID 1268 wrote to memory of 1500	1268	net.exe	52
PID 1268 wrote to memory of 1500	1268	net.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
"C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=5721318 "C:\Users\Admin\AppData\Local\Temp\~6261728793250865755.tmp",,C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\~6502627412825402310~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~6261728793250865755.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\Autodesk License AutoConfig\Autodesk License AutoConfig.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\chcp.com
    chcp 936
    3⤵
    PID:2620
- - C:\Windows\system32\mode.com
    mode con: cols=80 lines=15
    3⤵
    PID:2984
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
    3⤵
    PID:2848
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk License AutoConfig" /f
    3⤵
    PID:2760
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="AutodeskNLM"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2644
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked Autodesk License AutoConfig"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2612
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2968
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2240
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2836
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2440
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2972
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2548
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1088
- - C:\Windows\system32\net.exe
    net stop AdskLicensingService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AdskLicensingService
      4⤵
      PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingAgent.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "ADPClientService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingInstHelper.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "lmgrd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "adskflex.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "lmutil.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "lmtools.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\system32\msiexec.exe
    MsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\Autodesk License AutoConfig" /f
    3⤵
    PID:2476
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Autodesk License AutoConfig" /f
    3⤵
    PID:2288
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\Flexlm Service" /f
    3⤵
    PID:2704
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Flexlm Service" /f
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\Autodesk License Server" /f
    3⤵
    PID:2724
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Autodesk License Server" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\AdskNLM" /f
    3⤵
    PID:1700
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /f
    3⤵
    PID:2804
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2856
- - C:\Windows\regedit.exe
    regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\Service.reg"
    3⤵
    - Sets service image path in registry
    - Runs .reg file with regedit
    PID:2796
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i
    3⤵
    PID:2736
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2900
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2864
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2600
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.bat" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2852
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2192
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2984
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i
    3⤵
    PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
    3⤵
    PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "(gc License.lic) -replace 'MAC', ' ' | Out-File -encoding ASCII License.lic"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
- - C:\Windows\system32\sc.exe
    sc config "AdskLicensingService" Start= Auto
    3⤵
    - Launches sc.exe
    PID:3036
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Autodesk License AutoConfig.xml" /tn "\Microsoft\Windows\Autodesk\Autodesk License AutoConfig"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2632
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3044
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2084
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2948
- - C:\Windows\system32\net.exe
    net start AdskLicensingService
    3⤵
    PID:632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start AdskLicensingService
      4⤵
      PID:1780
- - C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:800
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c set
      4⤵
      PID:852
  - - C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
      PECMD**pecmd-cmd* PUTF -dd -skipb=1211904 -len=281 "C:\Users\Admin\AppData\Local\Temp\~3339548960053503778.tmp",,C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\~6850197918505334860~\sg.tmp
      7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~3339548960053503778.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3856986003333668164"
      4⤵
      Executes dropped EXE
      PID:2412
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\~3856986003333668164\Start Service.bat" "
      4⤵
      Loads dropped DLL
      PID:2572
    - - C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
        
        "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -z -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic"
        5⤵
        Executes dropped EXE
        
        PID:824
  - - C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
      PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~2767694971628492787.cmd"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1356
    - - C:\Windows\system32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\~2767694971628492787.cmd"
        5⤵
        
        PID:376
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
    C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1560
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c set
      4⤵
      PID:552
  - - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      PECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~467898933277927599.tmp",,C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\~8068844968607433951\End_v1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\~8068844968607433951\End_v1.2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1957157972443036154.cmd"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1756
    - - C:\Windows\system32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\~1957157972443036154.cmd"
        5⤵
        
        PID:2748
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2664
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6128847453630113505.cmd"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1676
    - - C:\Windows\system32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\~6128847453630113505.cmd"
        5⤵
        
        PID:2144

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic

Filesize
332KB

MD5
9f8df38a2f8ce3537bda86ea141339f5

SHA1
41c94eddbb027a2672f59d99d84c5c935e8735b1

SHA256
30346360a39cf87a1b5ba7d7891f31b33066121adea11877cfaacafb4ecfb314

SHA512
8bad25cb8ccd0db79c876e4af3e2e293cd077d8d43ed7ae30fee28ab2155e78e8e45e083faebd2bd396acf6498c035c5c30290ce564c097c562adb8e095dd51e

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic

Filesize
256KB

MD5
bdd479202a6a3bf488145daf12dd33b8

SHA1
4ca0e17ca845520d004fa64f295219f84fe2563c

SHA256
3128627fd18b866d9f68c3b6b8118da75e01c02f75239f9fbb55598104e3afce

SHA512
daf1593eea8e66347154093a472481aebf157c3a3707ee05418be999eff2ea65f7d8c925e76d167c9d417c427e9610b947cd0097d9109075891e8c6ea4655dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Autodesk License AutoConfig.bat

Filesize
6KB

MD5
f513bc122b9f1374858612d74aceb18a

SHA1
c09965a5d578bf1f2419467dde0becdbeed7af4a

SHA256
2ee7b303c40ecc9bb6e9648db7c3475ab8febfba0ec7abffca12af42619d2fbd

SHA512
541f2065d0d23156fe6acf4aac64a4b96c958e2d4db61d557933575e3739c6b98812ccf2438f5fbb0afadec6295aa3cd83c4f7bfae0c293bb3916b605d2eddd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe

Filesize
3.9MB

MD5
abdcd215ed468f7282c196a8a9e473d7

SHA1
5702dc33da4bc58627bfc9e8b36fd8d82dba3dde

SHA256
e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e

SHA512
6fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\License.lic

Filesize
332KB

MD5
4fcffcea5c7931c763468249b7cbc55c

SHA1
7818e91f977d59e56f3d19a3155d29d825f17814

SHA256
704a1fd15883b7a530ed9892eb907579d57458104caa20f96c18026ca3eb73d8

SHA512
360aadcba064b00b6a2480b99c3f9a60a34c4f5587c84448546bcc72a4e2810ef471ad550abd6804b47b5b085b058e4dc31db4d034067c911a42c1531e2859e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe

Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe

Filesize
1.1MB

MD5
219f8cebef26f1373062357b2f4a8489

SHA1
c77dfc5aa7b908533b6ecba8d8475dcc3545b416

SHA256
cf025ecfb3556e334dde501b95485998de9e1b6a06ccbd56ffa1345d6b5a3973

SHA512
2f9d50c51c74add14c4a64425e36b4a289da76e85aaf05bd8ef8c421cbaa6811a8f43a23513b40248fe71ae17301e8170625d3a72299a189ca5261d816d6b0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\netapi32.dll

Filesize
127KB

MD5
5c51cc926c76b23830d27a97445bf734

SHA1
51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d

SHA256
655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb

SHA512
ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\version.dll

Filesize
73KB

MD5
4c059805319a0bb6830c563e41d85918

SHA1
569cbf5401de4c378e7aac030c94430daef57b62

SHA256
c6a4426b196f19b0a456908b20a1b5fa6d2dae8cdb1ee7bc537f2842014ba6db

SHA512
e12a6ac84aa6a96965a092f09fcc7711ff3553c64b620a595ba1f1726377f7356e97d0ffa0dc8759d8217fd67a18b312e8c37c6441bbe9c438596742a0ad6b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Autodesk License AutoConfig.xml

Filesize
3KB

MD5
7e9f374f1a3f8ddedb20739ce4f14793

SHA1
5ad7bb8ced7f4f75a4c45d00ba3ee342897f3693

SHA256
7a4ae3aa5d57dcee5efd7539d33bfd32385b59be457ebd89f478674c3e4228d3

SHA512
a0849c9eec599287f33220743216af3e102fcf9d4b5b34fb6d7f4b15febd22d941c9cf03561a50f316dfcfdea03d00fe5993383982d70284f4c61085b7175683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.bat

Filesize
280B

MD5
f37de3c68d1361af9eb7cc76a3678f44

SHA1
ec0fe3d707135bf7edf17e5b10f047f02fdc8bfc

SHA256
4c7496fd774b64d806d260dd9ba13da4cffeda74c1c5fcea2b17769f73e0ebff

SHA512
fe95005f698562dcd7e158822be60751d5ad20a15dc9add04ee4f8d7cf93c91f2fcd2b82a3a48c08f365d5d04ca14e29f0d67318b72d8b9452dc32165a8388bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe

Filesize
1.2MB

MD5
841fa66b8c9f4af25a67be2e0bd26066

SHA1
b85865233a987b22f2c51d58908bbe2925108810

SHA256
1a64fc057a4455047f24b8422e2969fb0c8bc43a27669ac8c602d3e3b2c7f30f

SHA512
74a0f7c844920399e0b4c6bd797f9e14a52ba797dbd6c0e0a8bec756dae5c1e27e4a793eaa54598f72bc1496c18ef4d391822a2dae03e642adb401f1202801c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\Service.reg

Filesize
3KB

MD5
0febbbabcb143c13348113692f24285a

SHA1
1841ffc26b9f7a523d78ce66f3b2caa330838a9f

SHA256
540b98d56fa0a02df178ca7a4ad4bc6ad05248dac87d331d298520152928ab71

SHA512
2b71ede28f998439102580bc6e485ceac92996130feba8285106c48e7aa6f23205b454d5838f569944670bf466ad78d103111f07ca562deebfea1864e45930f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\UnNamed.json

Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1957157972443036154.cmd

Filesize
373B

MD5
783dc9ae5bbae56289e4db9e20a4e3a4

SHA1
e9e9d55c13edb32a0de2f86734a3312f3d02dc90

SHA256
c65282fae21848d631e6c205c7028305545c21a1f14adb6e706558b186183c26

SHA512
83c1eb4c8ee7f8621dcd6b68715c47fc2830da9b538debde5225532f0c00538fd3ec9c35e88cda31523e3f1a93414fd95a22dc393fdac21667439c432d319a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2767694971628492787.cmd

Filesize
467B

MD5
538da6352794a81d28273fbc6b196d49

SHA1
ff809348f30d66102df79f2855181ee689d74c76

SHA256
11bc8aa0162df3cf4ca54927e7bb75d958bf10d7bc5abd7c5fe7e9bd81bedcdb

SHA512
cbc1f6521ebeddfe21cb3f575ea3d80cd4e3a424e8c212429aec45770052d3a91cf2c402f31d274ba5b318e9a8b30ceb1818224fce88c7375faedf5d7788ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3339548960053503778.tmp

Filesize
281B

MD5
04e43781d01e5710ccf44331e3be0366

SHA1
8f1bf1047c7729706a2dbdad8a593c5487541f2c

SHA256
7c9face6c5805b0a1cab54787a589064d8db99f88141fb4cd42249ca57db1f4d

SHA512
6895d7df0536f9152a67920ce09c0ed30aea735d43514d68f82b4d1f8abb87d83055af4970f31cb79542f14e1d685a74ce69a11fb13e9a53537daabddd3304f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3856986003333668164\Start Service.bat

Filesize
310B

MD5
6aa40e5450992c32550929c0230b2a90

SHA1
ae74e62e72acfed63b0a3ad0782653f341e28000

SHA256
beb6399c43c88ff6c9bf1690903d83c3d311af5fbd9d5a79cb32277582786e6f

SHA512
f888764eb0e646ef879420088e426ddd2cbd39b6a9de18429faeb3efdefceff4270a78b94b07cca15479e84885993fe9e4c1f545c12ed463372024e9730e225e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~467898933277927599.tmp

Filesize
3.1MB

MD5
80ab2f749a3753866a20b5b87375fe43

SHA1
bac069abf966cf486687845c74eed0cf7aee036e

SHA256
8f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe

SHA512
2c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6128847453630113505.cmd

Filesize
356B

MD5
8f570c384b39a4f918d7157e2e0a35f1

SHA1
bd38286dd3162dab79ee02ee4490e8e973a1af4f

SHA256
425c65d0f4f503046c42900138c4c4f6597f215533d845cf008c6dfde71f62e5

SHA512
623b9eb35e1ac23468f0721de0e3b43191bd1ce1e3add3e0e1c111f304a78614f57451a912036adfc4cc9b81b63fa3be8d5564e6fce3d7c1b857a0fb908cd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6261728793250865755.tmp

Filesize
5.5MB

MD5
e29423e3cd4c695d381d0bceb6cd3aa0

SHA1
4a9cf856336a6059635216c341c36adee14343ce

SHA256
0a1f043af7d230d3e51425ae40cafefcbb65588f1cadb929efdacee15b046cbd

SHA512
81a2d934d1bdb5b56d4bcbc1d1683dfb90065309a3a85c5c456743850a23c81c4d22920da6699cf96bb7fae3f8c1068bfbbcc436f7b9ab8d713e7320ed3fd98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6502627412825402310~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a684d375d49435ae3e762d5e9dbdc48c

SHA1
a5d26fa7482e7b3cee31227aacc142e20df55561

SHA256
7f8104998a3ba5c1b1832312ddc39681b1abfd803d8a28ed5022fee8e46fef45

SHA512
e3a6f4e75f551141ff65658841a780cd44ef7a5bfbbfccedefe6439f1eaf47ab2adb320a7c01437b939053a8be0e0cd49138439876749f1cf18df19630c3cb6c

Download Submit
\Users\Admin\AppData\Local\Temp\~8068844968607433951\End_v1.2.exe

Filesize
3.5MB

MD5
939261459f9c29343dd1d6bd51f3709e

SHA1
b1110b91465ebc137402a3c30842b0e87e870365

SHA256
b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028

SHA512
697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db

Download Submit
memory/800-155-0x0000000003420000-0x00000000035FE000-memory.dmp

Filesize
1.9MB

Download
memory/800-108-0x0000000002AF0000-0x0000000002CCE000-memory.dmp

Filesize
1.9MB

Download
memory/800-158-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/800-99-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1072-8-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1072-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1356-162-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1356-169-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1560-141-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1560-168-0x0000000002950000-0x0000000002ACF000-memory.dmp

Filesize
1.5MB

Download
memory/1560-231-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1560-226-0x00000000031F0000-0x000000000336F000-memory.dmp

Filesize
1.5MB

Download
memory/1560-189-0x00000000036C0000-0x00000000048FF000-memory.dmp

Filesize
18.2MB

Download
memory/1576-191-0x000000013F2F0000-0x000000014052F000-memory.dmp

Filesize
18.2MB

Download
memory/1576-239-0x000000013F2F0000-0x000000014052F000-memory.dmp

Filesize
18.2MB

Download
memory/1576-242-0x000000013F2F0000-0x000000014052F000-memory.dmp

Filesize
18.2MB

Download
memory/1632-64-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1632-63-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/1676-229-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1676-237-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1756-233-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1756-228-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1968-7-0x0000000002B50000-0x0000000002D2E000-memory.dmp

Filesize
1.9MB

Download
memory/1968-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1968-58-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2112-172-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2112-175-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/2592-88-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2592-87-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-109-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2688-111-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download