012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Size

7.4MB
MD5

8d59ea7c3e75a7efe77835e6b2805523
SHA1

920507c802716d4fe9e42f3a524b7d79de74f890
SHA256

012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15
SHA512

bb3b46e86a96ca6ef785468045aa4449029eac221a65a583c39a6374e6bb2816cf547863bd99dc9923d8c310be2908ea2c704d1583f4ba375cddeadabbfceeff
SSDEEP

196608:5WX+phJYDNAHmXiqKmqQeyLKpRdcVtXEXnV:5XjqDNAGXiTmrMpwVVCV

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
1348	lmgrd.exe
2936	lmgrd.exe
2256	adskflex.exe

Loads dropped DLL 9 IoCs

pid	Process
2900	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
1732	msiexec.exe
1748	MsiExec.exe
484	Process not Found
2936	lmgrd.exe
2936	lmgrd.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	1732	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76b214.ipi	msiexec.exe
File created	C:\Windows\Installer\f76b210.msi	msiexec.exe
File created	C:\Windows\Installer\f76b211.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB542.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB757.tmp	msiexec.exe
File created	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico	msiexec.exe
File created	C:\Windows\Installer\f76b216.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB756.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b210.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b211.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7A6.tmp	msiexec.exe
File created	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst	msiexec.exe
File created	C:\Windows\Installer\f76b214.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico	msiexec.exe
File created	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst	msiexec.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1796	sc.exe
2964	sc.exe
1260	sc.exe
1544	sc.exe
1752	sc.exe
1664	sc.exe
1956	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
572	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
3004	taskkill.exe
2624	taskkill.exe
2156	taskkill.exe
2184	taskkill.exe
2416	taskkill.exe
1028	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42\58619EB42361CF745B368A5A246C66C4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\PackageName = "nlm11-19-4-1-ipv4-ipv6-win64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Version = "185794564"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Transforms = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\nlm.mst"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductIcon = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\PackageCode = "55B98EBBBAF085F4D8632D5C58260AF6"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductName = "Autodesk Network License Manager"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4\ProductFeature	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	msiexec.exe
1732	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
484	Process not Found
484	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1840	WMIC.exe
Token: SeSecurityPrivilege	1840	WMIC.exe
Token: SeTakeOwnershipPrivilege	1840	WMIC.exe
Token: SeLoadDriverPrivilege	1840	WMIC.exe
Token: SeSystemProfilePrivilege	1840	WMIC.exe
Token: SeSystemtimePrivilege	1840	WMIC.exe
Token: SeProfSingleProcessPrivilege	1840	WMIC.exe
Token: SeIncBasePriorityPrivilege	1840	WMIC.exe
Token: SeCreatePagefilePrivilege	1840	WMIC.exe
Token: SeBackupPrivilege	1840	WMIC.exe
Token: SeRestorePrivilege	1840	WMIC.exe
Token: SeShutdownPrivilege	1840	WMIC.exe
Token: SeDebugPrivilege	1840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1840	WMIC.exe
Token: SeRemoteShutdownPrivilege	1840	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2352	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	30
PID 2812 wrote to memory of 2352	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	30
PID 2812 wrote to memory of 2352	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	30
PID 2352 wrote to memory of 2964	2352	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	31
PID 2352 wrote to memory of 2964	2352	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	31
PID 2352 wrote to memory of 2964	2352	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	31
PID 2812 wrote to memory of 2756	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	33
PID 2812 wrote to memory of 2756	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	33
PID 2812 wrote to memory of 2756	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	33
PID 2756 wrote to memory of 2156	2756	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	34
PID 2756 wrote to memory of 2156	2756	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	34
PID 2756 wrote to memory of 2156	2756	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	34
PID 2812 wrote to memory of 2152	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	37
PID 2812 wrote to memory of 2152	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	37
PID 2812 wrote to memory of 2152	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	37
PID 2152 wrote to memory of 2444	2152	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	38
PID 2152 wrote to memory of 2444	2152	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	38
PID 2152 wrote to memory of 2444	2152	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	38
PID 2444 wrote to memory of 768	2444	cmd.exe	40
PID 2444 wrote to memory of 768	2444	cmd.exe	40
PID 2444 wrote to memory of 768	2444	cmd.exe	40
PID 2444 wrote to memory of 572	2444	cmd.exe	41
PID 2444 wrote to memory of 572	2444	cmd.exe	41
PID 2444 wrote to memory of 572	2444	cmd.exe	41
PID 2812 wrote to memory of 352	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	42
PID 2812 wrote to memory of 352	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	42
PID 2812 wrote to memory of 352	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	42
PID 352 wrote to memory of 584	352	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	43
PID 352 wrote to memory of 584	352	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	43
PID 352 wrote to memory of 584	352	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	43
PID 2812 wrote to memory of 268	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	45
PID 2812 wrote to memory of 268	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	45
PID 2812 wrote to memory of 268	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	45
PID 268 wrote to memory of 2056	268	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	46
PID 268 wrote to memory of 2056	268	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	46
PID 268 wrote to memory of 2056	268	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	46
PID 2812 wrote to memory of 2768	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	48
PID 2812 wrote to memory of 2768	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	48
PID 2812 wrote to memory of 2768	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	48
PID 2768 wrote to memory of 2896	2768	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	49
PID 2768 wrote to memory of 2896	2768	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	49
PID 2768 wrote to memory of 2896	2768	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	49
PID 2812 wrote to memory of 2448	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	51
PID 2812 wrote to memory of 2448	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	51
PID 2812 wrote to memory of 2448	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	51
PID 2448 wrote to memory of 2476	2448	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	52
PID 2448 wrote to memory of 2476	2448	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	52
PID 2448 wrote to memory of 2476	2448	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	52
PID 2812 wrote to memory of 2356	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	54
PID 2812 wrote to memory of 2356	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	54
PID 2812 wrote to memory of 2356	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	54
PID 2356 wrote to memory of 2332	2356	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	55
PID 2356 wrote to memory of 2332	2356	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	55
PID 2356 wrote to memory of 2332	2356	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	55
PID 2812 wrote to memory of 848	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	57
PID 2812 wrote to memory of 848	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	57
PID 2812 wrote to memory of 848	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	57
PID 848 wrote to memory of 2572	848	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	58
PID 848 wrote to memory of 2572	848	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	58
PID 848 wrote to memory of 2572	848	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	58
PID 2812 wrote to memory of 1832	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	60
PID 2812 wrote to memory of 1832	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	60
PID 2812 wrote to memory of 1832	2812	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	60
PID 1832 wrote to memory of 1692	1832	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	61

C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
"C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" stop AdskLicensingService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop AdskLicensingService
    3⤵
    - Launches sc.exe
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /im AdskLicensingAgent.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im AdskLicensingAgent.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:768
  - - C:\Windows\system32\xcopy.exe
      xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
      4⤵
      Drops file in Program Files directory
      PID:572
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\version.dll" )
    3⤵
    PID:584
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\version.dll" )
    3⤵
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\version.dll" )
    3⤵
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\version.dll" )
    3⤵
    PID:2476
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\version.dll" )
    3⤵
    PID:2332
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\version.dll" )
    3⤵
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\version.dll" )
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\version.dll" )
    3⤵
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\version.dll" )
  2⤵
  PID:1800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\version.dll" )
    3⤵
    PID:620
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\version.dll" )
  2⤵
  PID:1304
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\version.dll" )
    3⤵
    PID:1476
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" start AdskLicensingService
  2⤵
  PID:1316
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" start AdskLicensingService
    3⤵
    - Launches sc.exe
    PID:1260
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im AdAppMgrSvc.exe
  2⤵
  PID:888
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im AdAppMgrSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im AutodeskDesktopApp.exe
  2⤵
  PID:2284
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im AutodeskDesktopApp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im AdskIdentityManager.exe
  2⤵
  PID:2492
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im AdskIdentityManager.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im "Autodesk Access UI Host.exe"
  2⤵
  PID:2540
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "Autodesk Access UI Host.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im "AdskAccessCore.exe"
  2⤵
  PID:1288
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "AdskAccessCore.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Autodesk Access" /f
  2⤵
  PID:944
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" stop "Autodesk Access Service Host"
  2⤵
  PID:2468
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop "Autodesk Access Service Host"
    3⤵
    - Launches sc.exe
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" config "Autodesk Access Service Host" start= demand
  2⤵
  PID:2604
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config "Autodesk Access Service Host" start= demand
    3⤵
    - Launches sc.exe
    PID:1752
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
  2⤵
  PID:3048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
    3⤵
    PID:1684
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
  2⤵
  PID:1156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
    3⤵
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
  2⤵
  PID:2036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
    3⤵
    PID:2900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2348
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
  2⤵
  PID:2544
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
    3⤵
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
  2⤵
  PID:2204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
    3⤵
    PID:2020
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
  2⤵
  PID:2432
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
    3⤵
    PID:2000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" stop AdskNLM
  2⤵
  PID:1700
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop AdskNLM
    3⤵
    - Launches sc.exe
    PID:1664
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
  2⤵
  PID:1588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
    3⤵
    PID:1624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive
      4⤵
      PID:1400
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
  2⤵
  PID:2704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
    3⤵
    PID:2956
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11-19-4-1-ipv4-ipv6-win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
  2⤵
  PID:2840
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11-19-4-1-ipv4-ipv6-win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
    3⤵
    PID:2804
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
  2⤵
  PID:2212
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
    3⤵
    PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:2288
  - - C:\Windows\system32\xcopy.exe
      xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
      4⤵
      Drops file in Program Files directory
      PID:1788
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
  2⤵
  PID:1820
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
    3⤵
    PID:1248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:1140
  - - C:\Windows\system32\xcopy.exe
      xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
      4⤵
      Drops file in Program Files directory
      PID:840
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
  2⤵
  PID:868
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
    3⤵
    - Launches sc.exe
    PID:1956
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
  2⤵
  PID:872
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
    3⤵
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
  2⤵
  PID:604
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
    3⤵
    PID:544
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
  2⤵
  PID:1520
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
    3⤵
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
  2⤵
  PID:3048
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
  2⤵
  PID:1512
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
    3⤵
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
  2⤵
  PID:1728
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
    3⤵
    PID:1212
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
  2⤵
  PID:2912
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
    3⤵
    PID:2792
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
  2⤵
  PID:2972
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:1068
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "27080@localhost" /f
  2⤵
  PID:1824
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "27080@localhost" /f
    3⤵
    PID:984
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
  2⤵
  PID:2836
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:2980
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
  2⤵
  PID:2820
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
  2⤵
  PID:1660
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:1496
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
  2⤵
  PID:2444
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
    3⤵
    PID:2872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:2896
  - - C:\Windows\system32\xcopy.exe
      xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
      4⤵
      PID:2396
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c find /c /i "genuine-software.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
  2⤵
  PID:2024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c find /c /i "genuine-software.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Drops file in Drivers directory
    PID:2768
  - - C:\Windows\system32\find.exe
      find /c /i "genuine-software.autodesk.com" "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      PID:2120
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c find /c /i "genuine-software1.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software1.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
  2⤵
  PID:1676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c find /c /i "genuine-software1.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software1.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Drops file in Drivers directory
    PID:2260
  - - C:\Windows\system32\find.exe
      find /c /i "genuine-software1.autodesk.com" "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      PID:1920
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c find /c /i "genuine-software2.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software2.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
  2⤵
  PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c find /c /i "genuine-software2.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software2.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Drops file in Drivers directory
    PID:1488
  - - C:\Windows\system32\find.exe
      find /c /i "genuine-software2.autodesk.com" "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      PID:1428
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c ipconfig /flushdns
  2⤵
  PID:2856
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /flushdns
    3⤵
    PID:300
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:572
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" start AdskNLM
  2⤵
  PID:1304
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" start AdskNLM
    3⤵
    - Launches sc.exe
    PID:1796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A3DF5117298159527D185FA55E29DE99
  2⤵
  - Loads dropped DLL
  PID:2900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56FC85B743008EC1DE9F2285565124C1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADC0CF34D7F8C97157FC0C6E07C024CA M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1748

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
1⤵
- Executes dropped EXE
PID:1348
- C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
  "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" -z -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2936
- - C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
    adskflex.exe -T Pjcsdmrp 11.19 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic;" -srv eIm1dyg7XUlPzmVNUbmp1RN5yidx1mqljh4oIcovr9GAbGkS5e79Y5xHRJZNk7L --lmgrd_start 674f32de -vdrestart 0
    3⤵
    - Executes dropped EXE
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b215.rbs

Filesize
8KB

MD5
86ce5a1de18e72f220dec249424dad5a

SHA1
650d1c71853c0b27dce3f5ae03df3d1b022d7598

SHA256
0634e059d44cc617cd606e477e6a1898e6c062ce894ed455e4da6a67224b0692

SHA512
dbe89ce1e508eded6dc86779d9a040e845f74e4b6f97d865b46f5b1cc6666a71b21d58fb0c191597927fc1f9569e1cd1aa48d14a2c7a36e853f9c1cd436a05a5

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf

Filesize
99KB

MD5
db9b6d0f44bc811c52314bf36f6328b2

SHA1
0dbe841933f5cf468b42db7eb6b0aae88292300d

SHA256
994dbb01d6e468706e7f783b609bc9948e05ddf55fb0c43333d55c09359064e8

SHA512
5679169d9baf3654fcd1b73a46914f4cbfe37bc177b2fc8a9d711a71aca6d96bbb08b1645d26b0c5a2855a2a8bd1ac748e47c24b2832a134fd3d1c085df52941

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf

Filesize
2.8MB

MD5
b2a5ae4e47d0af4c147e7e18fc2df586

SHA1
1488f395cb226c59ad79a1d44f0e6f4f04ad0183

SHA256
9a50fa1d2fde367fa21341364ca14836663a11057958743dfd8d661e311481b6

SHA512
31093cb835bc9ab707c92877a9ccc5da54c725ca686917d0eece05a8444bb102027cc8b877b07010cc2550d3dcb4560b1bd6eb7efef8a2884289167de198de7e

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe

Filesize
2.7MB

MD5
b19c8acbaea67f6c2a05335beef3ee1f

SHA1
535885c94b3289263c1e0f6f2228463919179ea8

SHA256
f90c004a9803c4c7cb13541a03f96bda1fa3d0dd37591bdc0e71b53ccba5f725

SHA512
cb3ca83c260a1d7bb101bb49198196668f7eb761f362c0f06c13233bec78a74694a8714af55497b9d0481c639d95da59a41628a03150f67db0429e98b2de55fb

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

Filesize
1.3MB

MD5
5511d5d99c5b8d7c5147be9c0b4b9ba6

SHA1
87ecb85ee85857d8448b3dac3ae95128909cf2b6

SHA256
54c993ec37cdc90a8821edd3fc3fc44704c2de7a28db4efbb9f8a781b83cdbbf

SHA512
45600a7872381e1f75633406e2735d43f316ec715583de2555bc8ca35c09b2a77541135223362655b6208fa23da5184179ba1277d32cd1b43991c4b6ec84a44e

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe

Filesize
1.4MB

MD5
795074805b95913a8edb4e7dcdd58715

SHA1
53f635038817c5866dd825897df87d21c8033310

SHA256
75d8c3fe59f5b9aaceb76e24fe1a44b805c65bbfcbfc489d66f9a479f1cf4425

SHA512
45f22452bf8d1aac0b658ce1afa57b014f4c9b14924110e03deb82474e84934d368be19e481b037c7f8a0e2e33835bd1dd38858c1f6b1ea0f1a9ed0558ee4edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe

Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic

Filesize
340KB

MD5
bb0cb674eab3b0efd851948a0a5ac03d

SHA1
671b0add6326a17ac00840d7c656d90abd33e4af

SHA256
b25e227dfc17a5b81505ed27a697f35e2f318b8ae88b1dc7bf4278995befe72a

SHA512
a626e5dc3496508c5d7c644de91b9b7bbc4053425599f5ae1919b8996439c7ea80d3c626ed032e537c62ee4f479fb275caf893da9cc916a53fc4f5f395dffee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm.mst

Filesize
20KB

MD5
29810bab1ef69a3d26872093ef09372b

SHA1
7909ffedce856814353a753bcf891085c4c0f03e

SHA256
90e413cd675ee085c441df6327f6661a3459f4e109e0684b1a361c050d672bdb

SHA512
f4c08df269e65accac37233cb6abe0d6c5ed6fa952bb11f4f77abaa628ef2301f85627fe3bf2a3a79d99f6dd841abe7629b74b13eab96cce48d1c82911d6f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11-19-4-1-ipv4-ipv6-win64.msi

Filesize
8.2MB

MD5
bbd4394d0c1d30fbf9ad4715ff217821

SHA1
971916842f2d6cbbb1fb7cd266fc0d31dca40079

SHA256
67ac43957233a6ebff216d0ff603b9d045583a6234c9a428f81b591b36a8fa71

SHA512
d2c086d589997548b4d83da078cf52ef83b2f6ac4f7aa7604d5c07b7d3cb998b381ebaba252e0880edae7ea0cf17de8ef86f70b4a6104c0cb72123d401cac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll

Filesize
73KB

MD5
4c059805319a0bb6830c563e41d85918

SHA1
569cbf5401de4c378e7aac030c94430daef57b62

SHA256
c6a4426b196f19b0a456908b20a1b5fa6d2dae8cdb1ee7bc537f2842014ba6db

SHA512
e12a6ac84aa6a96965a092f09fcc7711ff3553c64b620a595ba1f1726377f7356e97d0ffa0dc8759d8217fd67a18b312e8c37c6441bbe9c438596742a0ad6b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2FC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB495.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\UnNamed.json

Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\Windows\Installer\MSIB4C5.tmp

Filesize
99KB

MD5
1dbd78917f6da40fcdf7078ef82e19b0

SHA1
7e9a89081db720025063330a78810021869393d9

SHA256
b6861d25bde12b74229db3a4796cb9a529512042cde0bc5ad0121b0576d672e4

SHA512
da46c5cb81e1b105bf51296513ae8ade8e35bb110895b3254b5241ccaff55cd5a7c3bfb93bd2d20c35222fce0649db96ca644a39934c1dfa35e9607cc03db6e6

Download Submit
C:\Windows\Installer\MSIB542.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1017B

MD5
05acb9e463033b11d906460104ff58fb

SHA1
b3c3604d2a357e961a5bf76b967fdd6c13f931af

SHA256
506ce4c91a0daea718cb81517b3e4dcc395ea714271603c786ad4486fcac67d9

SHA512
8e381aa9ef6bbaf3bc012c4cb80d2d97d4e4130d6ee74f048b9e9288298cf967fc40e900ae73594408208b1736873f1a6e02572a023f64e99406a77f890e4dd7

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
d96bb680f89104556819ad2100450663

SHA1
c3e6c1ebff90c48c1826f4a25a4f76c1716c6cab

SHA256
c6f9fd51441e0e33ac88369e09f80119df3456ca5223c56c463c3335450e52af

SHA512
4a3abf550cf2c62f4b30c4647ca4f0067159f7b9dd3d0f7dbb56700fea7d68859cc3585093c6a9950fc3712db0eb7b95c27db7af9d775a77d5b45915392861c0

Download Submit
\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe

Filesize
1.5MB

MD5
58c91376ac43ef1e60a339c794132932

SHA1
50f8f91a31df2e3a6e86c0737f0e9e51953b3bcf

SHA256
899b30518b93ff451b4cc49e3d1b33f3a56909c430f4ad179825ca9a0b049593

SHA512
8e7845874d8d5655a76bf28903e9ef7623ad976867e62bb60cc55fc2338ff198d8901de8b81c4c02ec75f5b87890687ab59cce467d48de1a5e653efc2537bc79

Download Submit