Analysis Overview
SHA256
b5da3639204818910898d4cee127ff81dfffd793e1d62be1c633931b2bb98218
Threat Level: Known bad
The file b5da3639204818910898d4cee127ff81dfffd793e1d62be1c633931b2bb98218 was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Creates new service(s)
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Blocklisted process makes network request
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
One or more HTTP URLs in qr code identified
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-12 08:17
Signatures
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Disables service(s)
Creates new service(s)
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI952E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e579119.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e579115.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9376.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI951E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI95AC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI93E4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI96B7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e579114.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e579114.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e579115.mst | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{4BE91685-1632-47FC-B563-A8A542C6664C} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42\58619EB42361CF745B368A5A246C66C4 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\PackageCode = "5FB46D79661AA9C4D8C8D2B42D9B321F" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Version = "185729024" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\PackageName = "nlm11.18.0.0_ipv4_ipv6_win64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductName = "Autodesk Network License Manager" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Transforms = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\nlm.mst" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductIcon = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\icon.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskLicensingService
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop AdskLicensingService
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /im AdskLicensingAgent.exe /f
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im AdskLicensingAgent.exe /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskLicensingService
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start AdskLicensingService
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdAppMgrSvc.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im AdAppMgrSvc.exe
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AutodeskDesktopApp.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im AutodeskDesktopApp.exe
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdskIdentityManager.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im AdskIdentityManager.exe
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "Autodesk Access UI Host.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "Autodesk Access UI Host.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Autodesk Access" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop "Autodesk Access Service Host"
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop "Autodesk Access Service Host"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "Autodesk Access Service Host" start= demand
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config "Autodesk Access Service Host" start= demand
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "FNPLicensingService64.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "FNPLicensingService64.exe"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "FlexNet Licensing Service 64" start= disabled
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config "FlexNet Licensing Service 64" start= disabled
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskNLM
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop AdskNLM
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 4A43ADFB298F5E5619F6B3FD5A75952A
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 187CB0C3DC227559F8BC3745866D1F97
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8B7D749A31F7192E57D1E31F29889B1C E Global\MSI0000
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskNLM
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start AdskNLM
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" -z -s
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
adskflex.exe -T Objiyuie 11.18 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic;" -lmgrd_port 6978 -srv zjsruX2uMLpny6QROdFKXhfTq0ecXLMvPk0WTGRvWILuwTN9Gk3pvhHDk28go77 --lmgrd_start 66407b44 -vdrestart 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| CZ | 23.212.110.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.110.212.23.in-addr.arpa | udp |
| N/A | 10.127.0.101:27000 | tcp | |
| N/A | 10.127.0.101:27001 | tcp | |
| N/A | 10.127.0.101:27002 | tcp | |
| N/A | 10.127.0.101:27003 | tcp | |
| N/A | 10.127.0.101:27004 | tcp | |
| N/A | 10.127.0.101:27005 | tcp | |
| N/A | 10.127.0.101:27006 | tcp | |
| N/A | 10.127.0.101:27007 | tcp | |
| N/A | 10.127.0.101:27008 | tcp | |
| N/A | 10.127.0.101:27009 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 10.127.0.101:27000 | tcp | |
| N/A | 127.0.0.1:55798 | tcp | |
| N/A | 127.0.0.1:27000 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll
| MD5 | 51f0e19b4cf164ecba9a006c4cf3b2a5 |
| SHA1 | 34a4df9c5bdb61e92a8f6f6986273fdf361d9c51 |
| SHA256 | 6f13e52d797a732435c8bb456be08c64d0b6fadea29f85486f4b44559d6cc95f |
| SHA512 | d78a56f0fcf51e438dab92e6791720e6d96d8e39ac3b3ab0d6a881ea94719d61ccb0a041da11c8c92c4d4681d6d8b83fbf4f1ee8c209ea34541001f6fce18d4e |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll
| MD5 | 5c51cc926c76b23830d27a97445bf734 |
| SHA1 | 51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d |
| SHA256 | 655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb |
| SHA512 | ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi
| MD5 | 5b47b9b432264a3db0027391e840b606 |
| SHA1 | 5234c465bc6c4bc22dd6bb1502b671a57b55b7f7 |
| SHA256 | 17ef73864bc721ec19c25052dec89619ef2c5c244fcafee46f415608a29b1c81 |
| SHA512 | ee30955fc2fc343f40beb97da76e41d282e090d3edeaa1d26043ac16600e05c30ffc6588d92825d0e5565715a5d9315dbf12f80f497da038e52b5d33643dcc67 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm.mst
| MD5 | 29810bab1ef69a3d26872093ef09372b |
| SHA1 | 7909ffedce856814353a753bcf891085c4c0f03e |
| SHA256 | 90e413cd675ee085c441df6327f6661a3459f4e109e0684b1a361c050d672bdb |
| SHA512 | f4c08df269e65accac37233cb6abe0d6c5ed6fa952bb11f4f77abaa628ef2301f85627fe3bf2a3a79d99f6dd841abe7629b74b13eab96cce48d1c82911d6f857 |
C:\Windows\Installer\MSI9376.tmp
| MD5 | 745686a040d4e3f775e25191c869b1e2 |
| SHA1 | b8cebdf1f83d78e5f39b285a32e377388de2cfda |
| SHA256 | 706875b6ce4b23ba395164e9280b78f6b7daebad14440b4cb472f1e684b3af9d |
| SHA512 | ee7aa91aef46836463ff61f6aefb45db3a49b0c694cb542d2758a8a2f9b036f22680f915f0b8469d60041b7ff74b0b2cfbb053c11651f5b88716c1386615c5f0 |
C:\Windows\Installer\MSI93E4.tmp
| MD5 | d773d9bd091e712df7560f576da53de8 |
| SHA1 | 165cfbdce1811883360112441f7237b287cf0691 |
| SHA256 | e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7 |
| SHA512 | 15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe
| MD5 | 2791efeb418895f1f26597417435bef3 |
| SHA1 | 5a571527607c8e0f150802577be39c086bec914a |
| SHA256 | 3019072311996868ffbe6b904713aad149a60f8cfc56ce25134f5864f8aebe01 |
| SHA512 | 83ccb244632571c848675d75248dde45e21a86940be81e8d061cf9edce93462317a5ffca847f546360feb01e6d62d0e87d024f56825cb70c59d047bad3980c0f |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
| MD5 | f12c3e03b9d483e1ebddedfb0dfbfbae |
| SHA1 | 95b87460dea43111df5a92f8c6272b4fcf327563 |
| SHA256 | 1c347344df9fa1d2138c7fd7063ca161555e68d05c56deb527c442af8af7ac44 |
| SHA512 | 02f64715bcd4ca53cd5e9e8c90cd9e3c2b273b82dbe9a41185a7b78117c0024435d76462eb24a258b7b3fc3f487969d2d0eed269469852ef96293ac8a7524ddc |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe
| MD5 | 8ffb63dc14e80d41c803aedc6bb90137 |
| SHA1 | 944e599fa01f16a784a588aee5699c84fd8ad4c8 |
| SHA256 | 2fd05e58d2623280cc63575a30dd698dc0d4ba16eca42ab0e5343bca7e2fa779 |
| SHA512 | 800e6192f0650ec7a611a84ed05128658b59dcd6f82a1f57736b6ebfc44274f52b010cd233d28e640fff5d7a28eff33c67cf5daba5b76da52f3b48e2b213e11e |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
| MD5 | 2b62942ac6d4bdf9233bb1d8dbca59d9 |
| SHA1 | af05185577f941d24c3e78825b2034bd5ab33473 |
| SHA256 | c2efadf435920e9cd4b02763d6dd430e342112185890239307d65814ff723ab9 |
| SHA512 | 89ef572c26b0c36279bfdf8adfd175a447b26e976f9de6d72b0e7f3e7c543ab71f3b1e005eda02e40e195c96bb39230abca045439d92915cc58d855c113b1c00 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf
| MD5 | 025a79b45214a675b104acc201e5c03a |
| SHA1 | ecd28d143b04ea3a6a915db95ecb0efeee7639a0 |
| SHA256 | 25e159e37e1641f1bc5b0cc4ae5fa5eb6251a585e0560fccdd5e8cade9648dff |
| SHA512 | b5fa642925d25980f00d7a9ceee7d1a40aed226aa1a6166ac9c632aa2abe74d4e7c5d682fe6ae524cde3f282205c2c8b1dd6c4984693612e27a09530f34c27e5 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf
| MD5 | db9b6d0f44bc811c52314bf36f6328b2 |
| SHA1 | 0dbe841933f5cf468b42db7eb6b0aae88292300d |
| SHA256 | 994dbb01d6e468706e7f783b609bc9948e05ddf55fb0c43333d55c09359064e8 |
| SHA512 | 5679169d9baf3654fcd1b73a46914f4cbfe37bc177b2fc8a9d711a71aca6d96bbb08b1645d26b0c5a2855a2a8bd1ac748e47c24b2832a134fd3d1c085df52941 |
C:\Config.Msi\e579118.rbs
| MD5 | baf51fabfc6a70da166ddbe6c9ee71ba |
| SHA1 | 02108b54bbb3cebd970285f72191b87c627c208d |
| SHA256 | caf8d3cb09df4c6147eb25f7d171230a95a75df8bb3b143431e99196d6e99089 |
| SHA512 | 695421c7b798f047d35e43bfdae8682296f7a4aaa7f1a3c9ebfad17316127b7e8b8c6c1536cdb27768fadc129042978c6834467907bac9753274c723dc41ebb4 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe
| MD5 | c00b8b7b1c084718ec5d63a53aefb1eb |
| SHA1 | 829f8afa420e6231302e42dfff13f05099a86248 |
| SHA256 | 05b24756d46ce216c84878dddc97ef9e2eeb6eca8ec12c97e780c4d0eef63731 |
| SHA512 | 6ea0cee172e63f0ecb18b9b7971519d1db7b9c469b4e5cebc5bd79369c9c66adfe70fd3d55967da63070f193502df028cd79c5af9ee5e188316533732bd70056 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd
| MD5 | 606ac2202cd0b8488c6ac4f9078f3081 |
| SHA1 | dcad1a2603ca52d3ec6428fdf515913556d402e5 |
| SHA256 | 5252a0f65286025e335661873ecdc4a7e9b6b8fe7d1a4d1ff5ac08549465a54f |
| SHA512 | 59792500aea8ba4263f82bca9c5abbce24b2a864c78f48b4c44153c2c3f85d3e2fbe6a4e2a9b74681da40e734cf143d4c159939079649a3432b3139050b647b6 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic
| MD5 | 2b7af274d669590f4f3cfd580b1aeb38 |
| SHA1 | 8ea69412ee2d662b8af8023fce2edab0e1275559 |
| SHA256 | 716f2ab691f4b328602967be934f415f32e16a3184e133ba203aaeade9ad27ce |
| SHA512 | 25ca79e4e61b870d6d55bd5db58c3a9e6b72a683da5c20049df6377ca84d6238e8d1d72f9f104d637e8a19cc17774ac6e7b8b4241d19739c2cb8e5f2ac2feeb7 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json
| MD5 | ba3088f87edfcceb1e084c971db40601 |
| SHA1 | ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f |
| SHA256 | e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651 |
| SHA512 | e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\fstln.txt
| MD5 | 2ef88db4a982dc69584e063954ca147b |
| SHA1 | 44ad0967724adf33536ad3961e27d210a5f2dc5b |
| SHA256 | 85f26c896ab13e855f7b0e5c9f90b5fe257a49b91da6e15f810ee8f91b4828e9 |
| SHA512 | 556fca1c61bb30ae8d8400393325e911ccd10a56a3350453ec51da2513a8e7c06ca4cba8f407ccefa3600238134cd0d1883bff947547a742dab96bf3248acf71 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic
| MD5 | 63bb9358ceb508c23f31ecedefeaf6d0 |
| SHA1 | 97df01827a238a0a032994f544c86245befa6fea |
| SHA256 | 758f251cb1b9ba736227fb4a2f4c5bb9fc68254aef5db6900cdaa70dc7b5ad46 |
| SHA512 | 49e5ca0bd51e45233d99f36a36357dcede5d1520a47e962f6c97299b3f160060ae557f8c66ce3b9aec95d4c14543e7e15861c1537518bba43e51241cb8702cfe |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\Revitʹý̳.url"
Network
Files
memory/2768-0-0x00000000003C0000-0x00000000003C1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win7-20240221-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\װ---ʴ𰸡.url"
Network
Files
memory/1972-0-0x00000000002F0000-0x00000000002F1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ѧ.url"
Network
Files
memory/2956-0-0x0000000002150000-0x0000000002151000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win10v2004-20240426-en
Max time kernel
129s
Max time network
98s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ɫ.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| CZ | 23.212.110.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.110.212.23.in-addr.arpa | udp |
| CZ | 23.212.110.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win7-20240221-en
Max time kernel
126s
Max time network
126s
Command Line
Signatures
Disables service(s)
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\netapi32.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll | C:\Windows\system32\xcopy.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f770fc0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f770fba.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f770fbb.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI173B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1CD9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1DF3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f770fbe.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f770fbb.mst | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f770fbe.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1CB9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI214F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f770fba.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI17C8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Transforms = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\nlm.mst" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42\58619EB42361CF745B368A5A246C66C4 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductName = "Autodesk Network License Manager" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Version = "185729024" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\PackageCode = "5FB46D79661AA9C4D8C8D2B42D9B321F" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\PackageName = "nlm11.18.0.0_ipv4_ipv6_win64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductIcon = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\icon.ico" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskLicensingService
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop AdskLicensingService
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /im AdskLicensingAgent.exe /f
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im AdskLicensingAgent.exe /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R26" )
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28\LMU.exe" ( echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\Adlm\R28" )
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskLicensingService
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start AdskLicensingService
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdAppMgrSvc.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im AdAppMgrSvc.exe
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AutodeskDesktopApp.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im AutodeskDesktopApp.exe
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im AdskIdentityManager.exe
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im AdskIdentityManager.exe
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "Autodesk Access UI Host.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "Autodesk Access UI Host.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Autodesk Access" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop "Autodesk Access Service Host"
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop "Autodesk Access Service Host"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "Autodesk Access Service Host" start= demand
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config "Autodesk Access Service Host" start= demand
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "taskkill" /f /im "FNPLicensingService64.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "FNPLicensingService64.exe"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" config "FlexNet Licensing Service 64" start= disabled
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config "FlexNet Licensing Service 64" start= disabled
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" stop AdskNLM
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" stop AdskNLM
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
C:\Windows\System32\Wbem\WMIC.exe
wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding B1D05E27E934818774155257B7D9E9DC
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B6AD12B618031C27F1498600C953510F
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F866A4A1243D24D95FDF5CA8F2814772 M Global\MSI0000
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%USB%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%%PCI%%' AND AdapterTypeID='0'" get MacAddress,AdapterType
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "@localhost" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo D "
C:\Windows\system32\xcopy.exe
xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe
"C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\AdskNLM.exe" -sfxwaitall:0 "sc" start AdskNLM
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start AdskNLM
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" -z -s
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
adskflex.exe -T Kxippckf 11.18 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic;" -lmgrd_port 6978 -srv brzoKmoC9dQKRL59C5rMCGOEHXLBfRQt8vTs0PcINZ1PUVy9kGvEGj61w3oB0mw --lmgrd_start 66407b5f -vdrestart 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| BE | 23.14.90.72:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| CZ | 2.19.217.218:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| N/A | 10.127.0.122:27000 | tcp | |
| N/A | 10.127.0.122:27001 | tcp | |
| N/A | 10.127.0.122:27002 | tcp | |
| N/A | 10.127.0.122:27003 | tcp | |
| N/A | 10.127.0.122:27004 | tcp | |
| N/A | 10.127.0.122:27005 | tcp | |
| N/A | 10.127.0.122:27006 | tcp | |
| N/A | 10.127.0.122:27007 | tcp | |
| N/A | 10.127.0.122:27008 | tcp | |
| N/A | 10.127.0.122:27009 | tcp | |
| N/A | 10.127.0.122:27000 | tcp | |
| N/A | 127.0.0.1:49421 | tcp | |
| N/A | 127.0.0.1:27000 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll
| MD5 | 51f0e19b4cf164ecba9a006c4cf3b2a5 |
| SHA1 | 34a4df9c5bdb61e92a8f6f6986273fdf361d9c51 |
| SHA256 | 6f13e52d797a732435c8bb456be08c64d0b6fadea29f85486f4b44559d6cc95f |
| SHA512 | d78a56f0fcf51e438dab92e6791720e6d96d8e39ac3b3ab0d6a881ea94719d61ccb0a041da11c8c92c4d4681d6d8b83fbf4f1ee8c209ea34541001f6fce18d4e |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\netapi32.dll
| MD5 | 5c51cc926c76b23830d27a97445bf734 |
| SHA1 | 51ebe83a748e2ddae9c20b0e1a66cbe42f846e7d |
| SHA256 | 655181d13d9707500bf77ff88b0b6c2595459b475ade7b919a2b1e00402c1ceb |
| SHA512 | ba10db85af29a02c9959d8c107e028879dbb3138443f35ba1512793bf782c1b8191c0aecc0fca447e96fda6daa720bb75ca67fdb29ff2c73b104265d0b53d285 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11.18.0.0_ipv4_ipv6_win64.msi
| MD5 | 5b47b9b432264a3db0027391e840b606 |
| SHA1 | 5234c465bc6c4bc22dd6bb1502b671a57b55b7f7 |
| SHA256 | 17ef73864bc721ec19c25052dec89619ef2c5c244fcafee46f415608a29b1c81 |
| SHA512 | ee30955fc2fc343f40beb97da76e41d282e090d3edeaa1d26043ac16600e05c30ffc6588d92825d0e5565715a5d9315dbf12f80f497da038e52b5d33643dcc67 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm.mst
| MD5 | 29810bab1ef69a3d26872093ef09372b |
| SHA1 | 7909ffedce856814353a753bcf891085c4c0f03e |
| SHA256 | 90e413cd675ee085c441df6327f6661a3459f4e109e0684b1a361c050d672bdb |
| SHA512 | f4c08df269e65accac37233cb6abe0d6c5ed6fa952bb11f4f77abaa628ef2301f85627fe3bf2a3a79d99f6dd841abe7629b74b13eab96cce48d1c82911d6f857 |
C:\Users\Admin\AppData\Local\Temp\Cab10B5.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar1183.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Windows\Installer\MSI173B.tmp
| MD5 | 745686a040d4e3f775e25191c869b1e2 |
| SHA1 | b8cebdf1f83d78e5f39b285a32e377388de2cfda |
| SHA256 | 706875b6ce4b23ba395164e9280b78f6b7daebad14440b4cb472f1e684b3af9d |
| SHA512 | ee7aa91aef46836463ff61f6aefb45db3a49b0c694cb542d2758a8a2f9b036f22680f915f0b8469d60041b7ff74b0b2cfbb053c11651f5b88716c1386615c5f0 |
C:\Windows\Installer\MSI17C8.tmp
| MD5 | d773d9bd091e712df7560f576da53de8 |
| SHA1 | 165cfbdce1811883360112441f7237b287cf0691 |
| SHA256 | e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7 |
| SHA512 | 15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe
| MD5 | 2791efeb418895f1f26597417435bef3 |
| SHA1 | 5a571527607c8e0f150802577be39c086bec914a |
| SHA256 | 3019072311996868ffbe6b904713aad149a60f8cfc56ce25134f5864f8aebe01 |
| SHA512 | 83ccb244632571c848675d75248dde45e21a86940be81e8d061cf9edce93462317a5ffca847f546360feb01e6d62d0e87d024f56825cb70c59d047bad3980c0f |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf
| MD5 | db9b6d0f44bc811c52314bf36f6328b2 |
| SHA1 | 0dbe841933f5cf468b42db7eb6b0aae88292300d |
| SHA256 | 994dbb01d6e468706e7f783b609bc9948e05ddf55fb0c43333d55c09359064e8 |
| SHA512 | 5679169d9baf3654fcd1b73a46914f4cbfe37bc177b2fc8a9d711a71aca6d96bbb08b1645d26b0c5a2855a2a8bd1ac748e47c24b2832a134fd3d1c085df52941 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
| MD5 | f12c3e03b9d483e1ebddedfb0dfbfbae |
| SHA1 | 95b87460dea43111df5a92f8c6272b4fcf327563 |
| SHA256 | 1c347344df9fa1d2138c7fd7063ca161555e68d05c56deb527c442af8af7ac44 |
| SHA512 | 02f64715bcd4ca53cd5e9e8c90cd9e3c2b273b82dbe9a41185a7b78117c0024435d76462eb24a258b7b3fc3f487969d2d0eed269469852ef96293ac8a7524ddc |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf
| MD5 | 025a79b45214a675b104acc201e5c03a |
| SHA1 | ecd28d143b04ea3a6a915db95ecb0efeee7639a0 |
| SHA256 | 25e159e37e1641f1bc5b0cc4ae5fa5eb6251a585e0560fccdd5e8cade9648dff |
| SHA512 | b5fa642925d25980f00d7a9ceee7d1a40aed226aa1a6166ac9c632aa2abe74d4e7c5d682fe6ae524cde3f282205c2c8b1dd6c4984693612e27a09530f34c27e5 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
| MD5 | 2b62942ac6d4bdf9233bb1d8dbca59d9 |
| SHA1 | af05185577f941d24c3e78825b2034bd5ab33473 |
| SHA256 | c2efadf435920e9cd4b02763d6dd430e342112185890239307d65814ff723ab9 |
| SHA512 | 89ef572c26b0c36279bfdf8adfd175a447b26e976f9de6d72b0e7f3e7c543ab71f3b1e005eda02e40e195c96bb39230abca045439d92915cc58d855c113b1c00 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe
| MD5 | 8ffb63dc14e80d41c803aedc6bb90137 |
| SHA1 | 944e599fa01f16a784a588aee5699c84fd8ad4c8 |
| SHA256 | 2fd05e58d2623280cc63575a30dd698dc0d4ba16eca42ab0e5343bca7e2fa779 |
| SHA512 | 800e6192f0650ec7a611a84ed05128658b59dcd6f82a1f57736b6ebfc44274f52b010cd233d28e640fff5d7a28eff33c67cf5daba5b76da52f3b48e2b213e11e |
C:\Config.Msi\f770fbf.rbs
| MD5 | 46ab2bc98aa5700435f2ffd2bae84f82 |
| SHA1 | 4bf0c75ddc1b91ddb13da3277b18f1e08ee67024 |
| SHA256 | f8afecf190fc78df88f4b30c2031fe01c292adc14c89eef49af2f1aa13cb1259 |
| SHA512 | b709f3759f8fc3830afbfefa342930017f243f72cf09781c2c4db55de1f0bccd17d12b3ee7d31cb65fa72442105f43622672ee760d8f5b96d2fb4bd2338eb8f0 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe
| MD5 | c00b8b7b1c084718ec5d63a53aefb1eb |
| SHA1 | 829f8afa420e6231302e42dfff13f05099a86248 |
| SHA256 | 05b24756d46ce216c84878dddc97ef9e2eeb6eca8ec12c97e780c4d0eef63731 |
| SHA512 | 6ea0cee172e63f0ecb18b9b7971519d1db7b9c469b4e5cebc5bd79369c9c66adfe70fd3d55967da63070f193502df028cd79c5af9ee5e188316533732bd70056 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\createlic.cmd
| MD5 | 606ac2202cd0b8488c6ac4f9078f3081 |
| SHA1 | dcad1a2603ca52d3ec6428fdf515913556d402e5 |
| SHA256 | 5252a0f65286025e335661873ecdc4a7e9b6b8fe7d1a4d1ff5ac08549465a54f |
| SHA512 | 59792500aea8ba4263f82bca9c5abbce24b2a864c78f48b4c44153c2c3f85d3e2fbe6a4e2a9b74681da40e734cf143d4c159939079649a3432b3139050b647b6 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic
| MD5 | 2b7af274d669590f4f3cfd580b1aeb38 |
| SHA1 | 8ea69412ee2d662b8af8023fce2edab0e1275559 |
| SHA256 | 716f2ab691f4b328602967be934f415f32e16a3184e133ba203aaeade9ad27ce |
| SHA512 | 25ca79e4e61b870d6d55bd5db58c3a9e6b72a683da5c20049df6377ca84d6238e8d1d72f9f104d637e8a19cc17774ac6e7b8b4241d19739c2cb8e5f2ac2feeb7 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json
| MD5 | ba3088f87edfcceb1e084c971db40601 |
| SHA1 | ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f |
| SHA256 | e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651 |
| SHA512 | e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68 |
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\fstln.txt
| MD5 | 4b45aaddc8a98250702961d425b9b174 |
| SHA1 | 140ecfe6f3401496093412358f20b612ab217580 |
| SHA256 | a011185006c3cc3c558b51f9b012191a396eb4da4eae52533199abf8536c2a54 |
| SHA512 | 67b341624a88a0c883fc5a064c321af5078b85a9c1d9207c7ddbe13e0d84d5bd39a3537b16726de4f4e44bfa8afd378af858cdf197063e9f2340454537b39143 |
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic
| MD5 | 2e163b021aadf1fe90b128b3f39495e6 |
| SHA1 | 3f388f9fbd2a78e8026a6b9d48ff56d4e7aa4787 |
| SHA256 | f66c20a8d884f74cd1a65f433cdabafcb49dcc46bd6d88ab5d56d54113373a0d |
| SHA512 | 33b3e9ff29590b3d3afc224cd78afddf5afd76b256108b538c7eda03857cf06110c7058136d3af67999d65bf4d96e49e697bb676dea0c63f8333f7f181338c84 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\Revitʹý̳.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| CZ | 23.212.110.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.110.212.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\װ---ʴ𰸡.url"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| CZ | 23.212.110.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.110.212.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ѧ.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| CZ | 23.212.110.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 161.110.212.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-12 08:17
Reported
2024-05-12 08:20
Platform
win7-20240221-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Revit 2024ע\-ɫ.url"
Network
Files
memory/2880-0-0x00000000001F0000-0x00000000001F1000-memory.dmp