82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 05:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Size

6.6MB
MD5

6ec1efa85155caab6391b7e0c8327333
SHA1

0eb2367eef8e9e811faa2dbb244a950d74becf3d
SHA256

82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad
SHA512

bbf62a722de0fbd243b73c847a20db8f05574525a93ac73138230522dc9a643fd0a86721fab3fa3fbee2696c0a3a3a551870c7c9bc0d82a8d26eeb8ed47f3a86
SSDEEP

196608:NLljZEve2hHDDrBg1+2dnn8RX23Ggta2j:NVZsek1g1+kneXWj

Score

8^/10

discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 14 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4340	netsh.exe
2368	netsh.exe
4244	netsh.exe
620	netsh.exe
4428	netsh.exe
4148	netsh.exe
3948	netsh.exe
956	netsh.exe
1204	netsh.exe
2288	netsh.exe
3820	netsh.exe
3860	netsh.exe
2732	netsh.exe
3148	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Autodesk License AutoConfig\ImagePath = "C:\\Program Files (x86)\\Common Files\\Autodesk Shared\\Network License Manager\\lmgrd.exe"	regedit.exe

Executes dropped EXE 12 IoCs

pid	Process
2140	sg.tmp
1016	Start Service.exe
3872	Start Service.exe
3856	sg.tmp
2108	lmgrd.exe
4588	End_v1.20.exe
3148	Start Service.exe
848	End_v1.20.exe
4760	End_v1.2.exe
2604	adskflex.exe
3804	End_v1.20.exe
836	End_v1.20.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3028-0-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3856-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3856-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3028-51-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/files/0x0008000000023447-65.dat	upx
behavioral2/files/0x000700000002344c-108.dat	upx
behavioral2/memory/1016-109-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3872-118-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3872-121-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4588-144-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/3148-158-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1016-160-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/848-169-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/3148-171-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/848-175-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/files/0x00090000000233a9-187.dat	upx
behavioral2/memory/4760-189-0x00007FF766260000-0x00007FF76749F000-memory.dmp	upx
behavioral2/memory/3804-220-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/836-222-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/4588-221-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/3804-224-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/836-226-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/memory/4760-229-0x00007FF766260000-0x00007FF76749F000-memory.dmp	upx
behavioral2/memory/4760-237-0x00007FF766260000-0x00007FF76749F000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2448	powershell.exe
4816	powershell.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic	powershell.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Start Service.bat	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Start Service.bat	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll	xcopy.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4408	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 42 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	End_v1.20.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
740	PING.EXE
2544	PING.EXE
2888	PING.EXE
400	PING.EXE
4148	PING.EXE
3056	PING.EXE
1440	PING.EXE

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	End_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	End_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	End_v1.20.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
4940	taskkill.exe
3588	taskkill.exe
4356	taskkill.exe
3436	taskkill.exe
648	taskkill.exe
1340	taskkill.exe
1256	taskkill.exe
4836	taskkill.exe
1916	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1872	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE
400	PING.EXE
4148	PING.EXE
3056	PING.EXE
1440	PING.EXE
740	PING.EXE
2544	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4140	powershell.exe
4140	powershell.exe
2448	powershell.exe
2448	powershell.exe
4816	powershell.exe
4816	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeRestorePrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeCreateGlobalPrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeBackupPrivilege	3856	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeRestorePrivilege	3856	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	3856	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	3856	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: 33	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeIncBasePriorityPrivilege	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
Token: SeRestorePrivilege	2140	sg.tmp
Token: 35	2140	sg.tmp
Token: SeSecurityPrivilege	2140	sg.tmp
Token: SeSecurityPrivilege	2140	sg.tmp
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	3936	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeMachineAccountPrivilege	3932	msiexec.exe
Token: SeTcbPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	3932	msiexec.exe
Token: SeTakeOwnershipPrivilege	3932	msiexec.exe
Token: SeLoadDriverPrivilege	3932	msiexec.exe
Token: SeSystemProfilePrivilege	3932	msiexec.exe
Token: SeSystemtimePrivilege	3932	msiexec.exe
Token: SeProfSingleProcessPrivilege	3932	msiexec.exe
Token: SeIncBasePriorityPrivilege	3932	msiexec.exe
Token: SeCreatePagefilePrivilege	3932	msiexec.exe
Token: SeCreatePermanentPrivilege	3932	msiexec.exe
Token: SeBackupPrivilege	3932	msiexec.exe
Token: SeRestorePrivilege	3932	msiexec.exe
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeDebugPrivilege	3932	msiexec.exe
Token: SeAuditPrivilege	3932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3932	msiexec.exe
Token: SeChangeNotifyPrivilege	3932	msiexec.exe
Token: SeRemoteShutdownPrivilege	3932	msiexec.exe
Token: SeUndockPrivilege	3932	msiexec.exe
Token: SeSyncAgentPrivilege	3932	msiexec.exe
Token: SeEnableDelegationPrivilege	3932	msiexec.exe
Token: SeManageVolumePrivilege	3932	msiexec.exe
Token: SeImpersonatePrivilege	3932	msiexec.exe
Token: SeCreateGlobalPrivilege	3932	msiexec.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeIncreaseQuotaPrivilege	2448	powershell.exe
Token: SeSecurityPrivilege	2448	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4760	End_v1.2.exe
4760	End_v1.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4376	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	85
PID 3028 wrote to memory of 4376	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	85
PID 3028 wrote to memory of 3856	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	89
PID 3028 wrote to memory of 3856	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	89
PID 3028 wrote to memory of 3856	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	89
PID 3028 wrote to memory of 2140	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	90
PID 3028 wrote to memory of 2140	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	90
PID 3028 wrote to memory of 2140	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	90
PID 3028 wrote to memory of 4768	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	92
PID 3028 wrote to memory of 4768	3028	82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe	92
PID 4768 wrote to memory of 2980	4768	cmd.exe	94
PID 4768 wrote to memory of 2980	4768	cmd.exe	94
PID 4768 wrote to memory of 1616	4768	cmd.exe	95
PID 4768 wrote to memory of 1616	4768	cmd.exe	95
PID 4768 wrote to memory of 2972	4768	cmd.exe	96
PID 4768 wrote to memory of 2972	4768	cmd.exe	96
PID 4768 wrote to memory of 4988	4768	cmd.exe	97
PID 4768 wrote to memory of 4988	4768	cmd.exe	97
PID 4768 wrote to memory of 956	4768	cmd.exe	98
PID 4768 wrote to memory of 956	4768	cmd.exe	98
PID 4768 wrote to memory of 3148	4768	cmd.exe	99
PID 4768 wrote to memory of 3148	4768	cmd.exe	99
PID 4768 wrote to memory of 4244	4768	cmd.exe	100
PID 4768 wrote to memory of 4244	4768	cmd.exe	100
PID 4768 wrote to memory of 620	4768	cmd.exe	101
PID 4768 wrote to memory of 620	4768	cmd.exe	101
PID 4768 wrote to memory of 3860	4768	cmd.exe	102
PID 4768 wrote to memory of 3860	4768	cmd.exe	102
PID 4768 wrote to memory of 1204	4768	cmd.exe	103
PID 4768 wrote to memory of 1204	4768	cmd.exe	103
PID 4768 wrote to memory of 2732	4768	cmd.exe	104
PID 4768 wrote to memory of 2732	4768	cmd.exe	104
PID 4768 wrote to memory of 4428	4768	cmd.exe	105
PID 4768 wrote to memory of 4428	4768	cmd.exe	105
PID 4768 wrote to memory of 2288	4768	cmd.exe	106
PID 4768 wrote to memory of 2288	4768	cmd.exe	106
PID 4768 wrote to memory of 3820	4768	cmd.exe	107
PID 4768 wrote to memory of 3820	4768	cmd.exe	107
PID 4768 wrote to memory of 5116	4768	cmd.exe	108
PID 4768 wrote to memory of 5116	4768	cmd.exe	108
PID 5116 wrote to memory of 4276	5116	net.exe	109
PID 5116 wrote to memory of 4276	5116	net.exe	109
PID 4768 wrote to memory of 648	4768	cmd.exe	110
PID 4768 wrote to memory of 648	4768	cmd.exe	110
PID 4768 wrote to memory of 1340	4768	cmd.exe	112
PID 4768 wrote to memory of 1340	4768	cmd.exe	112
PID 4768 wrote to memory of 4940	4768	cmd.exe	113
PID 4768 wrote to memory of 4940	4768	cmd.exe	113
PID 4768 wrote to memory of 1256	4768	cmd.exe	114
PID 4768 wrote to memory of 1256	4768	cmd.exe	114
PID 4768 wrote to memory of 4836	4768	cmd.exe	115
PID 4768 wrote to memory of 4836	4768	cmd.exe	115
PID 4768 wrote to memory of 1916	4768	cmd.exe	116
PID 4768 wrote to memory of 1916	4768	cmd.exe	116
PID 4768 wrote to memory of 4356	4768	cmd.exe	117
PID 4768 wrote to memory of 4356	4768	cmd.exe	117
PID 4768 wrote to memory of 3436	4768	cmd.exe	118
PID 4768 wrote to memory of 3436	4768	cmd.exe	118
PID 4768 wrote to memory of 3588	4768	cmd.exe	119
PID 4768 wrote to memory of 3588	4768	cmd.exe	119
PID 4768 wrote to memory of 3932	4768	cmd.exe	120
PID 4768 wrote to memory of 3932	4768	cmd.exe	120
PID 4768 wrote to memory of 4140	4768	cmd.exe	122
PID 4768 wrote to memory of 4140	4768	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
"C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
  PECMD**pecmd-cmd* PUTF -dd -skipb=1211392 -len=5721318 "C:\Users\Admin\AppData\Local\Temp\~4243264980401338803.tmp",,C:\Users\Admin\AppData\Local\Temp\82815a61bc735854e035eb3eb9ee9b6e30293c2dde9191bd7e25a2870d7f91ad.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\~4317127985040849831~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~4243264980401338803.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\Autodesk License AutoConfig\Autodesk License AutoConfig.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\chcp.com
    chcp 936
    3⤵
    PID:2980
- - C:\Windows\system32\mode.com
    mode con: cols=80 lines=15
    3⤵
    PID:1616
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
    3⤵
    PID:2972
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk License AutoConfig" /f
    3⤵
    PID:4988
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="AutodeskNLM"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked Autodesk License AutoConfig"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3148
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4244
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:620
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3860
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1204
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2732
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4428
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2288
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3820
- - C:\Windows\system32\net.exe
    net stop AdskLicensingService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop AdskLicensingService
      4⤵
      PID:4276
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingAgent.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "ADPClientService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "AdskLicensingInstHelper.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "lmgrd.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "adskflex.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "lmutil.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "lmtools.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\system32\msiexec.exe
    MsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\Autodesk License AutoConfig" /f
    3⤵
    PID:3368
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Autodesk License AutoConfig" /f
    3⤵
    PID:4728
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\Flexlm Service" /f
    3⤵
    PID:3068
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Flexlm Service" /f
    3⤵
    PID:1416
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\Autodesk License Server" /f
    3⤵
    PID:2844
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Autodesk License Server" /f
    3⤵
    PID:1180
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\FLEXlm License Manager\AdskNLM" /f
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /f
    3⤵
    PID:2080
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2544
- - C:\Windows\regedit.exe
    regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\Service.reg"
    3⤵
    - Sets service image path in registry
    - Runs .reg file with regedit
    PID:1872
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe" "C:\Users\Admin\AppData\Local\Temp\" /Y /K /R /S /H /i
    3⤵
    PID:4872
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2696
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:3416
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2992
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.bat" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:4372
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:2240
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
    3⤵
    - Drops file in Program Files directory
    PID:552
- - C:\Windows\system32\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i
    3⤵
    PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
    3⤵
    PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -noprofile -executionpolicy bypass -command "((Get-NetAdapter -Physical | ? PnPDeviceID -match '^PCI|^USB' | Sort PnPDeviceID -Descending).MacAddress | Select -Last 1) -replace '-'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "(gc License.lic) -replace 'MAC', 'C61537EC8B44' | Out-File -encoding ASCII License.lic"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4816
- - C:\Windows\system32\sc.exe
    sc config "AdskLicensingService" Start= Auto
    3⤵
    - Launches sc.exe
    PID:4408
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Autodesk License AutoConfig.xml" /tn "\Microsoft\Windows\Autodesk\Autodesk License AutoConfig"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4356
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4148
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=in action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2368
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4340
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Blocked Autodesk License AutoConfig" dir=out action=block profile=any program="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3948
- - C:\Windows\system32\net.exe
    net start AdskLicensingService
    3⤵
    PID:3920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start AdskLicensingService
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
    "C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      4⤵
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
      PECMD**pecmd-cmd* PUTF -dd -skipb=1211904 -len=281 "C:\Users\Admin\AppData\Local\Temp\~5612710100434417163.tmp",,C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\~560062608587108512~\sg.tmp
      7zG_exe x "C:\Users\Admin\AppData\Local\Temp\~5612710100434417163.tmp" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~4187030963666436390"
      4⤵
      Executes dropped EXE
      PID:3856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~4187030963666436390\Start Service.bat" "
      4⤵
      PID:388
    - - C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
        
        "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -z -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic"
        5⤵
        Executes dropped EXE
        
        PID:2108
      - C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
        
        adskflex.exe -T Pvmnudvd 11.16 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic;" -lmgrd_port 6978 -srv BboZSWyq7DUKz3PcVQ3q2Yzx9DszeeJ6fy2fb0SKwFuRLDJAfZOzMlMTpqBoYN8 --lmgrd_start 66b5a384 -vdrestart 0
        6⤵
        Executes dropped EXE
        
        PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe
      PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1388588471413177010.cmd"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3148
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\~1388588471413177010.cmd"
        5⤵
        
        PID:620
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
    C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:4588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c set
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      PECMD**pecmd-cmd* PUTF -dd -skipb=782848 -len=3289741 "C:\Users\Admin\AppData\Local\Temp\~1636099064994342280.tmp",,C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:848
  - - C:\Users\Admin\AppData\Local\Temp\~4421860297663056786\End_v1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\~4421860297663056786\End_v1.2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~2663141059731220572.cmd"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3804
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\~2663141059731220572.cmd"
        5⤵
        
        PID:1260
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:400
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:740
  - - C:\Users\Admin\AppData\Local\Temp\End_v1.20.exe
      PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~4698181137215759313.cmd"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:836
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\~4698181137215759313.cmd"
        5⤵
        
        PID:3608
      - C:\Windows\system32\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic

Filesize
332KB

MD5
1bcbd5e7af04df8ad383f1d86db4f856

SHA1
237294cd8d8e437d38f65bcd967d034cce27b236

SHA256
a770fe6318a26dabc1144d6a6c02516451305d1094d5416a6b5b51c3ab601abf

SHA512
c9ca8d716868d9460cc73dc3a7cefe06fdb0d96e5abbd9949d3ee65d1b46b8fc5e0153fc83c26ab32ad680e8c3a84b35b7893cf39346e41cbebabe58ba41c34b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f76a4c4be314cda548f254a80cb087a

SHA1
f069a3f468b5d1e12a94244869feb6dcbe608269

SHA256
60e9ce7951e44760c3631e48117d52f3d42beae69969d4c680ea25b6679ca2be

SHA512
1179afd46224288a04f24bc3208fab1b88d2cd9bfa02dfb9c952bbba67053b64f776d384d86941c6a098954695379fc3f8ff440a4733ecfa6302334af77c02bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Autodesk License AutoConfig.bat

Filesize
6KB

MD5
f513bc122b9f1374858612d74aceb18a

SHA1
c09965a5d578bf1f2419467dde0becdbeed7af4a

SHA256
2ee7b303c40ecc9bb6e9648db7c3475ab8febfba0ec7abffca12af42619d2fbd

SHA512
541f2065d0d23156fe6acf4aac64a4b96c958e2d4db61d557933575e3739c6b98812ccf2438f5fbb0afadec6295aa3cd83c4f7bfae0c293bb3916b605d2eddd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\End_v1.20.exe

Filesize
3.9MB

MD5
abdcd215ed468f7282c196a8a9e473d7

SHA1
5702dc33da4bc58627bfc9e8b36fd8d82dba3dde

SHA256
e4eea94f25d2c1ca619b599da095d6cadf1ada9b1939f064f9e328e40d5f5a0e

SHA512
6fadbc0211a058d730e46345d24fe4af5877d9109a6fd9dd4877c6b6ccd9caaa9fa977a27687a522ff4d1647eeaa0c18a42ef546062d65ad675de0b17276d367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\License.lic

Filesize
332KB

MD5
4fcffcea5c7931c763468249b7cbc55c

SHA1
7818e91f977d59e56f3d19a3155d29d825f17814

SHA256
704a1fd15883b7a530ed9892eb907579d57458104caa20f96c18026ca3eb73d8

SHA512
360aadcba064b00b6a2480b99c3f9a60a34c4f5587c84448546bcc72a4e2810ef471ad550abd6804b47b5b085b058e4dc31db4d034067c911a42c1531e2859e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\adskflex.exe

Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\NetworkLicenseManager\lmgrd.exe

Filesize
1.1MB

MD5
219f8cebef26f1373062357b2f4a8489

SHA1
c77dfc5aa7b908533b6ecba8d8475dcc3545b416

SHA256
cf025ecfb3556e334dde501b95485998de9e1b6a06ccbd56ffa1345d6b5a3973

SHA512
2f9d50c51c74add14c4a64425e36b4a289da76e85aaf05bd8ef8c421cbaa6811a8f43a23513b40248fe71ae17301e8170625d3a72299a189ca5261d816d6b0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\netapi32.dll

Filesize
127KB

MD5
5c51cc926c76b23830d27a97445bf734

SHA1
51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d

SHA256
655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb

SHA512
ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\PatchedFiles\version.dll

Filesize
73KB

MD5
4c059805319a0bb6830c563e41d85918

SHA1
569cbf5401de4c378e7aac030c94430daef57b62

SHA256
c6a4426b196f19b0a456908b20a1b5fa6d2dae8cdb1ee7bc537f2842014ba6db

SHA512
e12a6ac84aa6a96965a092f09fcc7711ff3553c64b620a595ba1f1726377f7356e97d0ffa0dc8759d8217fd67a18b312e8c37c6441bbe9c438596742a0ad6b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Autodesk License AutoConfig.xml

Filesize
3KB

MD5
7e9f374f1a3f8ddedb20739ce4f14793

SHA1
5ad7bb8ced7f4f75a4c45d00ba3ee342897f3693

SHA256
7a4ae3aa5d57dcee5efd7539d33bfd32385b59be457ebd89f478674c3e4228d3

SHA512
a0849c9eec599287f33220743216af3e102fcf9d4b5b34fb6d7f4b15febd22d941c9cf03561a50f316dfcfdea03d00fe5993383982d70284f4c61085b7175683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.bat

Filesize
280B

MD5
f37de3c68d1361af9eb7cc76a3678f44

SHA1
ec0fe3d707135bf7edf17e5b10f047f02fdc8bfc

SHA256
4c7496fd774b64d806d260dd9ba13da4cffeda74c1c5fcea2b17769f73e0ebff

SHA512
fe95005f698562dcd7e158822be60751d5ad20a15dc9add04ee4f8d7cf93c91f2fcd2b82a3a48c08f365d5d04ca14e29f0d67318b72d8b9452dc32165a8388bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Task\Start Service.exe

Filesize
1.2MB

MD5
841fa66b8c9f4af25a67be2e0bd26066

SHA1
b85865233a987b22f2c51d58908bbe2925108810

SHA256
1a64fc057a4455047f24b8422e2969fb0c8bc43a27669ac8c602d3e3b2c7f30f

SHA512
74a0f7c844920399e0b4c6bd797f9e14a52ba797dbd6c0e0a8bec756dae5c1e27e4a793eaa54598f72bc1496c18ef4d391822a2dae03e642adb401f1202801c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\Service.reg

Filesize
3KB

MD5
0febbbabcb143c13348113692f24285a

SHA1
1841ffc26b9f7a523d78ce66f3b2caa330838a9f

SHA256
540b98d56fa0a02df178ca7a4ad4bc6ad05248dac87d331d298520152928ab71

SHA512
2b71ede28f998439102580bc6e485ceac92996130feba8285106c48e7aa6f23205b454d5838f569944670bf466ad78d103111f07ca562deebfea1864e45930f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autodesk License AutoConfig\Tweak\UnNamed.json

Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5iah3ltl.xie.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1388588471413177010.cmd

Filesize
467B

MD5
538da6352794a81d28273fbc6b196d49

SHA1
ff809348f30d66102df79f2855181ee689d74c76

SHA256
11bc8aa0162df3cf4ca54927e7bb75d958bf10d7bc5abd7c5fe7e9bd81bedcdb

SHA512
cbc1f6521ebeddfe21cb3f575ea3d80cd4e3a424e8c212429aec45770052d3a91cf2c402f31d274ba5b318e9a8b30ceb1818224fce88c7375faedf5d7788ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1636099064994342280.tmp

Filesize
3.1MB

MD5
80ab2f749a3753866a20b5b87375fe43

SHA1
bac069abf966cf486687845c74eed0cf7aee036e

SHA256
8f297022f3ed3288e2f75a8ed590d52dad8b731f074ba0eed4809efc47631fbe

SHA512
2c6095031c9c4245e4d38fd9d4b17373731980c045cd84f7b4587702b553226349af18bea424edfc34a43b0c84470492ade270be671e8af7560d55a091de9b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2663141059731220572.cmd

Filesize
373B

MD5
8042b22ac958437a9557c26386e0a4c4

SHA1
f12713cf515c56775432297132ce5cd761a55c7f

SHA256
d8faf702854839f4acca32ca015b75cc9e0ac8343b032dff8ca91218321aeffe

SHA512
530382d2ce914c0456a143404ab69798b59eb78b6ee642b6fc980d7281e9d8032cb243ddf2048ffa22d0c95cf6df0c0074048632fd4f6490c05ac9bc5670fc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4187030963666436390\Start Service.bat

Filesize
310B

MD5
6aa40e5450992c32550929c0230b2a90

SHA1
ae74e62e72acfed63b0a3ad0782653f341e28000

SHA256
beb6399c43c88ff6c9bf1690903d83c3d311af5fbd9d5a79cb32277582786e6f

SHA512
f888764eb0e646ef879420088e426ddd2cbd39b6a9de18429faeb3efdefceff4270a78b94b07cca15479e84885993fe9e4c1f545c12ed463372024e9730e225e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4243264980401338803.tmp

Filesize
5.5MB

MD5
e29423e3cd4c695d381d0bceb6cd3aa0

SHA1
4a9cf856336a6059635216c341c36adee14343ce

SHA256
0a1f043af7d230d3e51425ae40cafefcbb65588f1cadb929efdacee15b046cbd

SHA512
81a2d934d1bdb5b56d4bcbc1d1683dfb90065309a3a85c5c456743850a23c81c4d22920da6699cf96bb7fae3f8c1068bfbbcc436f7b9ab8d713e7320ed3fd98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4317127985040849831~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4421860297663056786\End_v1.2.exe

Filesize
3.5MB

MD5
939261459f9c29343dd1d6bd51f3709e

SHA1
b1110b91465ebc137402a3c30842b0e87e870365

SHA256
b5732ac85589fdbe360af0d41fe4b409796fe414999c785bcf11f9b092ecf028

SHA512
697e447e742854cc4a9111b6451f2eed31d8d87b5db595ac6958ddd4f93110d1ad5e154c01a8b64db1cd7e26dcfffd637e183315a6aeeb7899ebc76c64f321db

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4698181137215759313.cmd

Filesize
356B

MD5
8f570c384b39a4f918d7157e2e0a35f1

SHA1
bd38286dd3162dab79ee02ee4490e8e973a1af4f

SHA256
425c65d0f4f503046c42900138c4c4f6597f215533d845cf008c6dfde71f62e5

SHA512
623b9eb35e1ac23468f0721de0e3b43191bd1ce1e3add3e0e1c111f304a78614f57451a912036adfc4cc9b81b63fa3be8d5564e6fce3d7c1b857a0fb908cd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5612710100434417163.tmp

Filesize
281B

MD5
04e43781d01e5710ccf44331e3be0366

SHA1
8f1bf1047c7729706a2dbdad8a593c5487541f2c

SHA256
7c9face6c5805b0a1cab54787a589064d8db99f88141fb4cd42249ca57db1f4d

SHA512
6895d7df0536f9152a67920ce09c0ed30aea735d43514d68f82b4d1f8abb87d83055af4970f31cb79542f14e1d685a74ce69a11fb13e9a53537daabddd3304f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~3316641575335875492.tmp

Filesize
143B

MD5
25f387629ffbf0bbada23ce1ac1ff26e

SHA1
6a298921bfba0538cbd7efc34adba482cacd2f42

SHA256
5bcec7358d3ce958532585be14c61b2326fc7e43b27958b067501975e0fd8b0c

SHA512
3e8c8ebe5a0622b016c85f97acef6143d0d6350b51206cc4827085c91bd853c770bf8c7488918914f436c780742c5598c379758515c5740b457dadc8e1f6aa02

Download Submit
memory/836-222-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/836-226-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/848-175-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/848-169-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/1016-109-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1016-160-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3028-51-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3028-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3148-158-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3148-171-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3804-224-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/3804-220-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/3856-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3856-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3872-121-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3872-118-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4140-57-0x000002BCB4BC0000-0x000002BCB4BE2000-memory.dmp

Filesize
136KB

Download
memory/4588-144-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4588-221-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4760-189-0x00007FF766260000-0x00007FF76749F000-memory.dmp

Filesize
18.2MB

Download
memory/4760-229-0x00007FF766260000-0x00007FF76749F000-memory.dmp

Filesize
18.2MB

Download
memory/4760-237-0x00007FF766260000-0x00007FF76749F000-memory.dmp

Filesize
18.2MB

Download