Malware Analysis Report

2024-09-23 16:47

Sample ID 240512-j63fdagb3w
Target b5da3639204818910898d4cee127ff81dfffd793e1d62be1c633931b2bb98218
SHA256 b5da3639204818910898d4cee127ff81dfffd793e1d62be1c633931b2bb98218
Tags
evasion execution persistence qr link
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5da3639204818910898d4cee127ff81dfffd793e1d62be1c633931b2bb98218

Threat Level: Known bad

The file b5da3639204818910898d4cee127ff81dfffd793e1d62be1c633931b2bb98218 was found to be: Known bad.

Malicious Activity Summary

evasion execution persistence qr link

Disables service(s)

Creates new service(s)

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Blocklisted process makes network request

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

One or more HTTP URLs in qr code identified

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-12 08:17

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe"

Signatures

Disables service(s)

evasion execution

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll C:\Windows\system32\xcopy.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI952E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579119.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e579115.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9376.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI951E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95AC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI93E4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI96B7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579114.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e579114.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e579115.mst C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{4BE91685-1632-47FC-B563-A8A542C6664C} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42\58619EB42361CF745B368A5A246C66C4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\PackageCode = "5FB46D79661AA9C4D8C8D2B42D9B321F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Version = "185729024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\PackageName = "nlm11.18.0.0_ipv4_ipv6_win64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductName = "Autodesk Network License Manager" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Transforms = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\nlm.mst" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductIcon = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\icon.ico" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2368 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2368 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 4160 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 1084 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 1084 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 4160 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2136 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2136 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 3260 wrote to memory of 4484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 4484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 5116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 3260 wrote to memory of 5116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2596 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2596 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 1468 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 4216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 1468 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4160 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 1116 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 4160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 1700 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 4160 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 996 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 996 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 4160 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4120 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 4120 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 4160 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 884 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 884 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 4160 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 3088 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 3088 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 4160 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2776 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2776 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 4160 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\reg.exe
PID 4160 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\reg.exe
PID 4160 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 612 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 612 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 4160 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4432 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 4432 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 4160 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 4160 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskLicensingService

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop AdskLicensingService

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /im AdskLicensingAgent.exe /f

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /im AdskLicensingAgent.exe /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskLicensingService

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" start AdskLicensingService

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdAppMgrSvc.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im AdAppMgrSvc.exe

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AutodeskDesktopApp.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im AutodeskDesktopApp.exe

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdskIdentityManager.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im AdskIdentityManager.exe

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "Autodesk Access UI Host.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im "Autodesk Access UI Host.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Autodesk Access" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop "Autodesk Access Service Host"

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop "Autodesk Access Service Host"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "Autodesk Access Service Host" start= demand

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config "Autodesk Access Service Host" start= demand

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "FNPLicensingService64.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im "FNPLicensingService64.exe"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "FlexNet Licensing Service 64" start= disabled

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config "FlexNet Licensing Service 64" start= disabled

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )

C:\Windows\System32\Wbem\WMIC.exe

wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )

C:\Windows\System32\Wbem\WMIC.exe

wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskNLM

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop AdskNLM

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )

C:\Windows\System32\Wbem\WMIC.exe

wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 4A43ADFB298F5E5619F6B3FD5A75952A

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 187CB0C3DC227559F8BC3745866D1F97

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8B7D749A31F7192E57D1E31F29889B1C E Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskNLM

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" start AdskNLM

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" -z -s

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe

adskflex.exe -T Objiyuie 11.18 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic;" -lmgrd_port 6978 -srv zjsruX2uMLpny6QROdFKXhfTq0ecXLMvPk0WTGRvWILuwTN9Gk3pvhHDk28go77 --lmgrd_start 66407b44 -vdrestart 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
CZ 23.212.110.209:443 www.bing.com tcp
US 8.8.8.8:53 209.110.212.23.in-addr.arpa udp
N/A 10.127.0.101:27000 tcp
N/A 10.127.0.101:27001 tcp
N/A 10.127.0.101:27002 tcp
N/A 10.127.0.101:27003 tcp
N/A 10.127.0.101:27004 tcp
N/A 10.127.0.101:27005 tcp
N/A 10.127.0.101:27006 tcp
N/A 10.127.0.101:27007 tcp
N/A 10.127.0.101:27008 tcp
N/A 10.127.0.101:27009 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 10.127.0.101:27000 tcp
N/A 127.0.0.1:55798 tcp
N/A 127.0.0.1:27000 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll

MD5 51f0e19b4cf164ecba9a006c4cf3b2a5
SHA1 34a4df9c5bdb61e92a8f6f6986273fdf361d9c51
SHA256 6f13e52d797a732435c8bb456be08c64d0b6fadea29f85486f4b44559d6cc95f
SHA512 d78a56f0fcf51e438dab92e6791720e6d96d8e39ac3b3ab0d6a881ea94719d61ccb0a041da11c8c92c4d4681d6d8b83fbf4f1ee8c209ea34541001f6fce18d4e

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll

MD5 5c51cc926c76b23830d27a97445bf734
SHA1 51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d
SHA256 655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb
SHA512 ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi

MD5 5b47b9b432264a3db0027391e840b606
SHA1 5234c465bc6c4bc22dd6bb1502b671a57b55b7f7
SHA256 17ef73864bc721ec19c25052dec89619ef2c5c244fcafee46f415608a29b1c81
SHA512 ee30955fc2fc343f40beb97da76e41d282e090d3edeaa1d26043ac16600e05c30ffc6588d92825d0e5565715a5d9315dbf12f80f497da038e52b5d33643dcc67

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm.mst

MD5 29810bab1ef69a3d26872093ef09372b
SHA1 7909ffedce856814353a753bcf891085c4c0f03e
SHA256 90e413cd675ee085c441df6327f6661a3459f4e109e0684b1a361c050d672bdb
SHA512 f4c08df269e65accac37233cb6abe0d6c5ed6fa952bb11f4f77abaa628ef2301f85627fe3bf2a3a79d99f6dd841abe7629b74b13eab96cce48d1c82911d6f857

C:\Windows\Installer\MSI9376.tmp

MD5 745686a040d4e3f775e25191c869b1e2
SHA1 b8cebdf1f83d78e5f39b285a32e377388de2cfda
SHA256 706875b6ce4b23ba395164e9280b78f6b7daebad14440b4cb472f1e684b3af9d
SHA512 ee7aa91aef46836463ff61f6aefb45db3a49b0c694cb542d2758a8a2f9b036f22680f915f0b8469d60041b7ff74b0b2cfbb053c11651f5b88716c1386615c5f0

C:\Windows\Installer\MSI93E4.tmp

MD5 d773d9bd091e712df7560f576da53de8
SHA1 165cfbdce1811883360112441f7237b287cf0691
SHA256 e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA512 15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe

MD5 2791efeb418895f1f26597417435bef3
SHA1 5a571527607c8e0f150802577be39c086bec914a
SHA256 3019072311996868ffbe6b904713aad149a60f8cfc56ce25134f5864f8aebe01
SHA512 83ccb244632571c848675d75248dde45e21a86940be81e8d061cf9edce93462317a5ffca847f546360feb01e6d62d0e87d024f56825cb70c59d047bad3980c0f

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe

MD5 f12c3e03b9d483e1ebddedfb0dfbfbae
SHA1 95b87460dea43111df5a92f8c6272b4fcf327563
SHA256 1c347344df9fa1d2138c7fd7063ca161555e68d05c56deb527c442af8af7ac44
SHA512 02f64715bcd4ca53cd5e9e8c90cd9e3c2b273b82dbe9a41185a7b78117c0024435d76462eb24a258b7b3fc3f487969d2d0eed269469852ef96293ac8a7524ddc

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe

MD5 8ffb63dc14e80d41c803aedc6bb90137
SHA1 944e599fa01f16a784a588aee5699c84fd8ad4c8
SHA256 2fd05e58d2623280cc63575a30dd698dc0d4ba16eca42ab0e5343bca7e2fa779
SHA512 800e6192f0650ec7a611a84ed05128658b59dcd6f82a1f57736b6ebfc44274f52b010cd233d28e640fff5d7a28eff33c67cf5daba5b76da52f3b48e2b213e11e

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

MD5 2b62942ac6d4bdf9233bb1d8dbca59d9
SHA1 af05185577f941d24c3e78825b2034bd5ab33473
SHA256 c2efadf435920e9cd4b02763d6dd430e342112185890239307d65814ff723ab9
SHA512 89ef572c26b0c36279bfdf8adfd175a447b26e976f9de6d72b0e7f3e7c543ab71f3b1e005eda02e40e195c96bb39230abca045439d92915cc58d855c113b1c00

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf

MD5 025a79b45214a675b104acc201e5c03a
SHA1 ecd28d143b04ea3a6a915db95ecb0efeee7639a0
SHA256 25e159e37e1641f1bc5b0cc4ae5fa5eb6251a585e0560fccdd5e8cade9648dff
SHA512 b5fa642925d25980f00d7a9ceee7d1a40aed226aa1a6166ac9c632aa2abe74d4e7c5d682fe6ae524cde3f282205c2c8b1dd6c4984693612e27a09530f34c27e5

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf

MD5 db9b6d0f44bc811c52314bf36f6328b2
SHA1 0dbe841933f5cf468b42db7eb6b0aae88292300d
SHA256 994dbb01d6e468706e7f783b609bc9948e05ddf55fb0c43333d55c09359064e8
SHA512 5679169d9baf3654fcd1b73a46914f4cbfe37bc177b2fc8a9d711a71aca6d96bbb08b1645d26b0c5a2855a2a8bd1ac748e47c24b2832a134fd3d1c085df52941

C:\Config.Msi\e579118.rbs

MD5 baf51fabfc6a70da166ddbe6c9ee71ba
SHA1 02108b54bbb3cebd970285f72191b87c627c208d
SHA256 caf8d3cb09df4c6147eb25f7d171230a95a75df8bb3b143431e99196d6e99089
SHA512 695421c7b798f047d35e43bfdae8682296f7a4aaa7f1a3c9ebfad17316127b7e8b8c6c1536cdb27768fadc129042978c6834467907bac9753274c723dc41ebb4

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe

MD5 c00b8b7b1c084718ec5d63a53aefb1eb
SHA1 829f8afa420e6231302e42dfff13f05099a86248
SHA256 05b24756d46ce216c84878dddc97ef9e2eeb6eca8ec12c97e780c4d0eef63731
SHA512 6ea0cee172e63f0ecb18b9b7971519d1db7b9c469b4e5cebc5bd79369c9c66adfe70fd3d55967da63070f193502df028cd79c5af9ee5e188316533732bd70056

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd

MD5 606ac2202cd0b8488c6ac4f9078f3081
SHA1 dcad1a2603ca52d3ec6428fdf515913556d402e5
SHA256 5252a0f65286025e335661873ecdc4a7e9b6b8fe7d1a4d1ff5ac08549465a54f
SHA512 59792500aea8ba4263f82bca9c5abbce24b2a864c78f48b4c44153c2c3f85d3e2fbe6a4e2a9b74681da40e734cf143d4c159939079649a3432b3139050b647b6

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic

MD5 2b7af274d669590f4f3cfd580b1aeb38
SHA1 8ea69412ee2d662b8af8023fce2edab0e1275559
SHA256 716f2ab691f4b328602967be934f415f32e16a3184e133ba203aaeade9ad27ce
SHA512 25ca79e4e61b870d6d55bd5db58c3a9e6b72a683da5c20049df6377ca84d6238e8d1d72f9f104d637e8a19cc17774ac6e7b8b4241d19739c2cb8e5f2ac2feeb7

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json

MD5 ba3088f87edfcceb1e084c971db40601
SHA1 ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f
SHA256 e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651
SHA512 e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\fstln.txt

MD5 2ef88db4a982dc69584e063954ca147b
SHA1 44ad0967724adf33536ad3961e27d210a5f2dc5b
SHA256 85f26c896ab13e855f7b0e5c9f90b5fe257a49b91da6e15f810ee8f91b4828e9
SHA512 556fca1c61bb30ae8d8400393325e911ccd10a56a3350453ec51da2513a8e7c06ca4cba8f407ccefa3600238134cd0d1883bff947547a742dab96bf3248acf71

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic

MD5 63bb9358ceb508c23f31ecedefeaf6d0
SHA1 97df01827a238a0a032994f544c86245befa6fea
SHA256 758f251cb1b9ba736227fb4a2f4c5bb9fc68254aef5db6900cdaa70dc7b5ad46
SHA512 49e5ca0bd51e45233d99f36a36357dcede5d1520a47e962f6c97299b3f160060ae557f8c66ce3b9aec95d4c14543e7e15861c1537518bba43e51241cb8702cfe

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\Revitʹý̳.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\Revitʹý̳.url"

Network

N/A

Files

memory/2768-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win7-20240221-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\װ---ʴ𰸡.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\װ---ʴ𰸡.url"

Network

N/A

Files

memory/1972-0-0x00000000002F0000-0x00000000002F1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ѧ.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ѧ.url"

Network

N/A

Files

memory/2956-0-0x0000000002150000-0x0000000002151000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

98s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ɫ޶.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ɫ޶.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
CZ 23.212.110.209:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.110.212.23.in-addr.arpa udp
CZ 23.212.110.209:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win7-20240221-en

Max time kernel

126s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe"

Signatures

Disables service(s)

evasion execution

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe C:\Windows\system32\xcopy.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll C:\Windows\system32\xcopy.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic C:\Windows\system32\cmd.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770fc0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770fba.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770fbb.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI173B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1CD9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1DF3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770fbe.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770fbb.mst C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770fbe.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1CB9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI214F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770fba.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI17C8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Transforms = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\nlm.mst" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42\58619EB42361CF745B368A5A246C66C4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductName = "Autodesk Network License Manager" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Version = "185729024" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\PackageCode = "5FB46D79661AA9C4D8C8D2B42D9B321F" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\PackageName = "nlm11.18.0.0_ipv4_ipv6_win64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductIcon = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\icon.ico" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2248 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2536 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2536 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2536 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2592 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2592 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2592 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 2384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2428 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2248 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2824 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 1596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 1004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2824 wrote to memory of 1004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2824 wrote to memory of 1004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2248 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2360 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2360 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 112 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 112 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 112 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2280 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2280 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2280 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\sc.exe
PID 2248 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2480 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2480 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2480 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe
PID 2248 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 2248 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
PID 1836 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe C:\Windows\System32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskLicensingService

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop AdskLicensingService

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /im AdskLicensingAgent.exe /f

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /im AdskLicensingAgent.exe /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskLicensingService

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" start AdskLicensingService

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdAppMgrSvc.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im AdAppMgrSvc.exe

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AutodeskDesktopApp.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im AutodeskDesktopApp.exe

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdskIdentityManager.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im AdskIdentityManager.exe

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "Autodesk Access UI Host.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im "Autodesk Access UI Host.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Autodesk Access" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop "Autodesk Access Service Host"

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop "Autodesk Access Service Host"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "Autodesk Access Service Host" start= demand

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config "Autodesk Access Service Host" start= demand

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "FNPLicensingService64.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im "FNPLicensingService64.exe"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "FlexNet Licensing Service 64" start= disabled

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config "FlexNet Licensing Service 64" start= disabled

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )

C:\Windows\System32\Wbem\WMIC.exe

wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )

C:\Windows\System32\Wbem\WMIC.exe

wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskNLM

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" stop AdskNLM

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )

C:\Windows\System32\Wbem\WMIC.exe

wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding B1D05E27E934818774155257B7D9E9DC

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B6AD12B618031C27F1498600C953510F

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F866A4A1243D24D95FDF5CA8F2814772 M Global\MSI0000

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo D "

C:\Windows\system32\xcopy.exe

xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"

C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe

"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskNLM

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" start AdskNLM

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" -z -s

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe

adskflex.exe -T Kxippckf 11.18 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic;" -lmgrd_port 6978 -srv brzoKmoC9dQKRL59C5rMCGOEHXLBfRQt8vTs0PcINZ1PUVy9kGvEGj61w3oB0mw --lmgrd_start 66407b5f -vdrestart 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
BE 23.14.90.72:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
CZ 2.19.217.218:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
N/A 10.127.0.122:27000 tcp
N/A 10.127.0.122:27001 tcp
N/A 10.127.0.122:27002 tcp
N/A 10.127.0.122:27003 tcp
N/A 10.127.0.122:27004 tcp
N/A 10.127.0.122:27005 tcp
N/A 10.127.0.122:27006 tcp
N/A 10.127.0.122:27007 tcp
N/A 10.127.0.122:27008 tcp
N/A 10.127.0.122:27009 tcp
N/A 10.127.0.122:27000 tcp
N/A 127.0.0.1:49421 tcp
N/A 127.0.0.1:27000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll

MD5 51f0e19b4cf164ecba9a006c4cf3b2a5
SHA1 34a4df9c5bdb61e92a8f6f6986273fdf361d9c51
SHA256 6f13e52d797a732435c8bb456be08c64d0b6fadea29f85486f4b44559d6cc95f
SHA512 d78a56f0fcf51e438dab92e6791720e6d96d8e39ac3b3ab0d6a881ea94719d61ccb0a041da11c8c92c4d4681d6d8b83fbf4f1ee8c209ea34541001f6fce18d4e

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll

MD5 5c51cc926c76b23830d27a97445bf734
SHA1 51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d
SHA256 655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb
SHA512 ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi

MD5 5b47b9b432264a3db0027391e840b606
SHA1 5234c465bc6c4bc22dd6bb1502b671a57b55b7f7
SHA256 17ef73864bc721ec19c25052dec89619ef2c5c244fcafee46f415608a29b1c81
SHA512 ee30955fc2fc343f40beb97da76e41d282e090d3edeaa1d26043ac16600e05c30ffc6588d92825d0e5565715a5d9315dbf12f80f497da038e52b5d33643dcc67

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm.mst

MD5 29810bab1ef69a3d26872093ef09372b
SHA1 7909ffedce856814353a753bcf891085c4c0f03e
SHA256 90e413cd675ee085c441df6327f6661a3459f4e109e0684b1a361c050d672bdb
SHA512 f4c08df269e65accac37233cb6abe0d6c5ed6fa952bb11f4f77abaa628ef2301f85627fe3bf2a3a79d99f6dd841abe7629b74b13eab96cce48d1c82911d6f857

C:\Users\Admin\AppData\Local\Temp\Cab10B5.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1183.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Windows\Installer\MSI173B.tmp

MD5 745686a040d4e3f775e25191c869b1e2
SHA1 b8cebdf1f83d78e5f39b285a32e377388de2cfda
SHA256 706875b6ce4b23ba395164e9280b78f6b7daebad14440b4cb472f1e684b3af9d
SHA512 ee7aa91aef46836463ff61f6aefb45db3a49b0c694cb542d2758a8a2f9b036f22680f915f0b8469d60041b7ff74b0b2cfbb053c11651f5b88716c1386615c5f0

C:\Windows\Installer\MSI17C8.tmp

MD5 d773d9bd091e712df7560f576da53de8
SHA1 165cfbdce1811883360112441f7237b287cf0691
SHA256 e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA512 15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe

MD5 2791efeb418895f1f26597417435bef3
SHA1 5a571527607c8e0f150802577be39c086bec914a
SHA256 3019072311996868ffbe6b904713aad149a60f8cfc56ce25134f5864f8aebe01
SHA512 83ccb244632571c848675d75248dde45e21a86940be81e8d061cf9edce93462317a5ffca847f546360feb01e6d62d0e87d024f56825cb70c59d047bad3980c0f

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf

MD5 db9b6d0f44bc811c52314bf36f6328b2
SHA1 0dbe841933f5cf468b42db7eb6b0aae88292300d
SHA256 994dbb01d6e468706e7f783b609bc9948e05ddf55fb0c43333d55c09359064e8
SHA512 5679169d9baf3654fcd1b73a46914f4cbfe37bc177b2fc8a9d711a71aca6d96bbb08b1645d26b0c5a2855a2a8bd1ac748e47c24b2832a134fd3d1c085df52941

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe

MD5 f12c3e03b9d483e1ebddedfb0dfbfbae
SHA1 95b87460dea43111df5a92f8c6272b4fcf327563
SHA256 1c347344df9fa1d2138c7fd7063ca161555e68d05c56deb527c442af8af7ac44
SHA512 02f64715bcd4ca53cd5e9e8c90cd9e3c2b273b82dbe9a41185a7b78117c0024435d76462eb24a258b7b3fc3f487969d2d0eed269469852ef96293ac8a7524ddc

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf

MD5 025a79b45214a675b104acc201e5c03a
SHA1 ecd28d143b04ea3a6a915db95ecb0efeee7639a0
SHA256 25e159e37e1641f1bc5b0cc4ae5fa5eb6251a585e0560fccdd5e8cade9648dff
SHA512 b5fa642925d25980f00d7a9ceee7d1a40aed226aa1a6166ac9c632aa2abe74d4e7c5d682fe6ae524cde3f282205c2c8b1dd6c4984693612e27a09530f34c27e5

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

MD5 2b62942ac6d4bdf9233bb1d8dbca59d9
SHA1 af05185577f941d24c3e78825b2034bd5ab33473
SHA256 c2efadf435920e9cd4b02763d6dd430e342112185890239307d65814ff723ab9
SHA512 89ef572c26b0c36279bfdf8adfd175a447b26e976f9de6d72b0e7f3e7c543ab71f3b1e005eda02e40e195c96bb39230abca045439d92915cc58d855c113b1c00

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe

MD5 8ffb63dc14e80d41c803aedc6bb90137
SHA1 944e599fa01f16a784a588aee5699c84fd8ad4c8
SHA256 2fd05e58d2623280cc63575a30dd698dc0d4ba16eca42ab0e5343bca7e2fa779
SHA512 800e6192f0650ec7a611a84ed05128658b59dcd6f82a1f57736b6ebfc44274f52b010cd233d28e640fff5d7a28eff33c67cf5daba5b76da52f3b48e2b213e11e

C:\Config.Msi\f770fbf.rbs

MD5 46ab2bc98aa5700435f2ffd2bae84f82
SHA1 4bf0c75ddc1b91ddb13da3277b18f1e08ee67024
SHA256 f8afecf190fc78df88f4b30c2031fe01c292adc14c89eef49af2f1aa13cb1259
SHA512 b709f3759f8fc3830afbfefa342930017f243f72cf09781c2c4db55de1f0bccd17d12b3ee7d31cb65fa72442105f43622672ee760d8f5b96d2fb4bd2338eb8f0

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe

MD5 c00b8b7b1c084718ec5d63a53aefb1eb
SHA1 829f8afa420e6231302e42dfff13f05099a86248
SHA256 05b24756d46ce216c84878dddc97ef9e2eeb6eca8ec12c97e780c4d0eef63731
SHA512 6ea0cee172e63f0ecb18b9b7971519d1db7b9c469b4e5cebc5bd79369c9c66adfe70fd3d55967da63070f193502df028cd79c5af9ee5e188316533732bd70056

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd

MD5 606ac2202cd0b8488c6ac4f9078f3081
SHA1 dcad1a2603ca52d3ec6428fdf515913556d402e5
SHA256 5252a0f65286025e335661873ecdc4a7e9b6b8fe7d1a4d1ff5ac08549465a54f
SHA512 59792500aea8ba4263f82bca9c5abbce24b2a864c78f48b4c44153c2c3f85d3e2fbe6a4e2a9b74681da40e734cf143d4c159939079649a3432b3139050b647b6

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic

MD5 2b7af274d669590f4f3cfd580b1aeb38
SHA1 8ea69412ee2d662b8af8023fce2edab0e1275559
SHA256 716f2ab691f4b328602967be934f415f32e16a3184e133ba203aaeade9ad27ce
SHA512 25ca79e4e61b870d6d55bd5db58c3a9e6b72a683da5c20049df6377ca84d6238e8d1d72f9f104d637e8a19cc17774ac6e7b8b4241d19739c2cb8e5f2ac2feeb7

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json

MD5 ba3088f87edfcceb1e084c971db40601
SHA1 ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f
SHA256 e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651
SHA512 e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\fstln.txt

MD5 4b45aaddc8a98250702961d425b9b174
SHA1 140ecfe6f3401496093412358f20b612ab217580
SHA256 a011185006c3cc3c558b51f9b012191a396eb4da4eae52533199abf8536c2a54
SHA512 67b341624a88a0c883fc5a064c321af5078b85a9c1d9207c7ddbe13e0d84d5bd39a3537b16726de4f4e44bfa8afd378af858cdf197063e9f2340454537b39143

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic

MD5 2e163b021aadf1fe90b128b3f39495e6
SHA1 3f388f9fbd2a78e8026a6b9d48ff56d4e7aa4787
SHA256 f66c20a8d884f74cd1a65f433cdabafcb49dcc46bd6d88ab5d56d54113373a0d
SHA512 33b3e9ff29590b3d3afc224cd78afddf5afd76b256108b538c7eda03857cf06110c7058136d3af67999d65bf4d96e49e697bb676dea0c63f8333f7f181338c84

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\Revitʹý̳.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\Revitʹý̳.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
CZ 23.212.110.209:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.110.212.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\װ---ʴ𰸡.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\װ---ʴ𰸡.url"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
CZ 23.212.110.161:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 161.110.212.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

123s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ѧ.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ѧ.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
CZ 23.212.110.161:443 www.bing.com tcp
US 8.8.8.8:53 161.110.212.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-12 08:17

Reported

2024-05-12 08:20

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ɫ޶.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ɫ޶.url"

Network

N/A

Files

memory/2880-0-0x00000000001F0000-0x00000000001F1000-memory.dmp