012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Size

7.4MB
MD5

8d59ea7c3e75a7efe77835e6b2805523
SHA1

920507c802716d4fe9e42f3a524b7d79de74f890
SHA256

012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15
SHA512

bb3b46e86a96ca6ef785468045aa4449029eac221a65a583c39a6374e6bb2816cf547863bd99dc9923d8c310be2908ea2c704d1583f4ba375cddeadabbfceeff
SSDEEP

196608:5WX+phJYDNAHmXiqKmqQeyLKpRdcVtXEXnV:5XjqDNAGXiTmrMpwVVCV

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 3 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 52 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe

Executes dropped EXE 3 IoCs

Processes:

lmgrd.exelmgrd.exeadskflex.exe

pid	Process
3552	lmgrd.exe
408	lmgrd.exe
4488	adskflex.exe

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	Process
3096	MsiExec.exe
2528	MsiExec.exe
2528	MsiExec.exe
2528	MsiExec.exe
908	MsiExec.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow	pid	Process
23	3532	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 11 IoCs

Processes:

msiexec.exexcopy.exexcopy.exexcopy.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic	xcopy.exe
File opened for modification	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll	xcopy.exe
File created	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe	msiexec.exe

Drops file in Windows directory 21 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\e57c103.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c0fe.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6DF.tmp	msiexec.exe
File created	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\lmtools.ico	msiexec.exe
File created	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst	msiexec.exe
File created	C:\Windows\Installer\e57c0fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC2A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC303.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4BE91685-1632-47FC-B563-A8A542C6664C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5E4.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c0ff.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC566.tmp	msiexec.exe
File created	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c0ff.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC546.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{4BE91685-1632-47FC-B563-A8A542C6664C}\nlm.mst	msiexec.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2344	sc.exe
4564	sc.exe
1976	sc.exe
3672	sc.exe
3468	sc.exe
3956	sc.exe
3488	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
3764	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4800	taskkill.exe
5116	taskkill.exe
1472	taskkill.exe
4828	taskkill.exe
2828	taskkill.exe
4956	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Transforms = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\nlm.mst"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\PackageCode = "55B98EBBBAF085F4D8632D5C58260AF6"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\PackageName = "nlm11-19-4-1-ipv4-ipv6-win64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductName = "Autodesk Network License Manager"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BC698D839589114AA143BB5C9D87F42\58619EB42361CF745B368A5A246C66C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Adsk-NLM\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\ProductIcon = "C:\\Windows\\Installer\\{4BE91685-1632-47FC-B563-A8A542C6664C}\\icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\58619EB42361CF745B368A5A246C66C4\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\58619EB42361CF745B368A5A246C66C4\Version = "185794564"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid	Process
3532	msiexec.exe
3532	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exemsiexec.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4972	WMIC.exe
Token: SeSecurityPrivilege	4972	WMIC.exe
Token: SeTakeOwnershipPrivilege	4972	WMIC.exe
Token: SeLoadDriverPrivilege	4972	WMIC.exe
Token: SeSystemProfilePrivilege	4972	WMIC.exe
Token: SeSystemtimePrivilege	4972	WMIC.exe
Token: SeProfSingleProcessPrivilege	4972	WMIC.exe
Token: SeIncBasePriorityPrivilege	4972	WMIC.exe
Token: SeCreatePagefilePrivilege	4972	WMIC.exe
Token: SeBackupPrivilege	4972	WMIC.exe
Token: SeRestorePrivilege	4972	WMIC.exe
Token: SeShutdownPrivilege	4972	WMIC.exe
Token: SeDebugPrivilege	4972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4972	WMIC.exe
Token: SeRemoteShutdownPrivilege	4972	WMIC.exe
Token: SeUndockPrivilege	4972	WMIC.exe
Token: SeManageVolumePrivilege	4972	WMIC.exe
Token: 33	4972	WMIC.exe
Token: 34	4972	WMIC.exe
Token: 35	4972	WMIC.exe
Token: 36	4972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4972	WMIC.exe
Token: SeSecurityPrivilege	4972	WMIC.exe
Token: SeTakeOwnershipPrivilege	4972	WMIC.exe
Token: SeLoadDriverPrivilege	4972	WMIC.exe
Token: SeSystemProfilePrivilege	4972	WMIC.exe
Token: SeSystemtimePrivilege	4972	WMIC.exe
Token: SeProfSingleProcessPrivilege	4972	WMIC.exe
Token: SeIncBasePriorityPrivilege	4972	WMIC.exe
Token: SeCreatePagefilePrivilege	4972	WMIC.exe
Token: SeBackupPrivilege	4972	WMIC.exe
Token: SeRestorePrivilege	4972	WMIC.exe
Token: SeShutdownPrivilege	4972	WMIC.exe
Token: SeDebugPrivilege	4972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4972	WMIC.exe
Token: SeRemoteShutdownPrivilege	4972	WMIC.exe
Token: SeUndockPrivilege	4972	WMIC.exe
Token: SeManageVolumePrivilege	4972	WMIC.exe
Token: 33	4972	WMIC.exe
Token: 34	4972	WMIC.exe
Token: 35	4972	WMIC.exe
Token: 36	4972	WMIC.exe
Token: SeSecurityPrivilege	3532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe
Token: SeSecurityPrivilege	3160	WMIC.exe
Token: SeTakeOwnershipPrivilege	3160	WMIC.exe
Token: SeLoadDriverPrivilege	3160	WMIC.exe
Token: SeSystemProfilePrivilege	3160	WMIC.exe
Token: SeSystemtimePrivilege	3160	WMIC.exe
Token: SeProfSingleProcessPrivilege	3160	WMIC.exe
Token: SeIncBasePriorityPrivilege	3160	WMIC.exe
Token: SeCreatePagefilePrivilege	3160	WMIC.exe
Token: SeBackupPrivilege	3160	WMIC.exe
Token: SeRestorePrivilege	3160	WMIC.exe
Token: SeShutdownPrivilege	3160	WMIC.exe
Token: SeDebugPrivilege	3160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3160	WMIC.exe
Token: SeRemoteShutdownPrivilege	3160	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 3916 wrote to memory of 2876	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	82
PID 3916 wrote to memory of 2876	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	82
PID 2876 wrote to memory of 3956	2876	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	83
PID 2876 wrote to memory of 3956	2876	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	83
PID 3916 wrote to memory of 4680	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	85
PID 3916 wrote to memory of 4680	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	85
PID 4680 wrote to memory of 4800	4680	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	86
PID 4680 wrote to memory of 4800	4680	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	86
PID 3916 wrote to memory of 2496	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	89
PID 3916 wrote to memory of 2496	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	89
PID 2496 wrote to memory of 4552	2496	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	90
PID 2496 wrote to memory of 4552	2496	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	90
PID 4552 wrote to memory of 2304	4552	cmd.exe	92
PID 4552 wrote to memory of 2304	4552	cmd.exe	92
PID 4552 wrote to memory of 3176	4552	cmd.exe	93
PID 4552 wrote to memory of 3176	4552	cmd.exe	93
PID 3916 wrote to memory of 4984	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	94
PID 3916 wrote to memory of 4984	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	94
PID 4984 wrote to memory of 3268	4984	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	95
PID 4984 wrote to memory of 3268	4984	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	95
PID 3916 wrote to memory of 3764	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	97
PID 3916 wrote to memory of 3764	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	97
PID 3764 wrote to memory of 1976	3764	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	98
PID 3764 wrote to memory of 1976	3764	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	98
PID 3916 wrote to memory of 3816	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	100
PID 3916 wrote to memory of 3816	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	100
PID 3816 wrote to memory of 1164	3816	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	101
PID 3816 wrote to memory of 1164	3816	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	101
PID 3916 wrote to memory of 2576	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	103
PID 3916 wrote to memory of 2576	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	103
PID 2576 wrote to memory of 4276	2576	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	104
PID 2576 wrote to memory of 4276	2576	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	104
PID 3916 wrote to memory of 4024	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	106
PID 3916 wrote to memory of 4024	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	106
PID 4024 wrote to memory of 1640	4024	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	107
PID 4024 wrote to memory of 1640	4024	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	107
PID 3916 wrote to memory of 1604	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	109
PID 3916 wrote to memory of 1604	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	109
PID 1604 wrote to memory of 536	1604	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	110
PID 1604 wrote to memory of 536	1604	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	110
PID 3916 wrote to memory of 3736	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	112
PID 3916 wrote to memory of 3736	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	112
PID 3736 wrote to memory of 2612	3736	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	113
PID 3736 wrote to memory of 2612	3736	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	113
PID 3916 wrote to memory of 2416	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	115
PID 3916 wrote to memory of 2416	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	115
PID 2416 wrote to memory of 804	2416	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	116
PID 2416 wrote to memory of 804	2416	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	116
PID 3916 wrote to memory of 5076	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	118
PID 3916 wrote to memory of 5076	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	118
PID 5076 wrote to memory of 4664	5076	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	119
PID 5076 wrote to memory of 4664	5076	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	119
PID 3916 wrote to memory of 3232	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	121
PID 3916 wrote to memory of 3232	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	121
PID 3232 wrote to memory of 3488	3232	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	122
PID 3232 wrote to memory of 3488	3232	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	122
PID 3916 wrote to memory of 3944	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	124
PID 3916 wrote to memory of 3944	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	124
PID 3944 wrote to memory of 5116	3944	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	125
PID 3944 wrote to memory of 5116	3944	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	125
PID 3916 wrote to memory of 5088	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	127
PID 3916 wrote to memory of 5088	3916	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	127
PID 5088 wrote to memory of 1472	5088	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	128
PID 5088 wrote to memory of 1472	5088	012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe	128

C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
"C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" stop AdskLicensingService
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop AdskLicensingService
    3⤵
    - Launches sc.exe
    PID:3956
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /im AdskLicensingAgent.exe /f
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /im AdskLicensingAgent.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:2304
  - - C:\Windows\system32\xcopy.exe
      xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent"
      4⤵
      Drops file in Program Files directory
      PID:3176
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.0.3194\AdskLicensingAgent\version.dll" )
    3⤵
    PID:3268
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.1.1.66\AdskLicensingAgent\version.dll" )
    3⤵
    PID:1976
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\10.2.0.4231\AdskLicensingAgent\version.dll" )
    3⤵
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.0.0.4854\AdskLicensingAgent\version.dll" )
    3⤵
    PID:4276
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.0.5629\AdskLicensingAgent\version.dll" )
    3⤵
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\11.1.1.17\AdskLicensingAgent\version.dll" )
    3⤵
    PID:536
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.0.6529\AdskLicensingAgent\version.dll" )
    3⤵
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.0.1.5\AdskLicensingAgent\version.dll" )
    3⤵
    PID:804
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\version.dll" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\AdskLicensingAgent.exe" ( echo F | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version_old.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\12.1.0.7121\AdskLicensingAgent\version.dll" )
    3⤵
    PID:4664
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" start AdskLicensingService
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" start AdskLicensingService
    3⤵
    - Launches sc.exe
    PID:3488
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im AdAppMgrSvc.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im AdAppMgrSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im AutodeskDesktopApp.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im AutodeskDesktopApp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im AdskIdentityManager.exe
  2⤵
  - Checks computer location settings
  PID:5092
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im AdskIdentityManager.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im "Autodesk Access UI Host.exe"
  2⤵
  - Checks computer location settings
  PID:760
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "Autodesk Access UI Host.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "taskkill" /f /im "AdskAccessCore.exe"
  2⤵
  - Checks computer location settings
  PID:664
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "AdskAccessCore.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Autodesk Access" /f
  2⤵
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" stop "Autodesk Access Service Host"
  2⤵
  - Checks computer location settings
  PID:1800
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop "Autodesk Access Service Host"
    3⤵
    - Launches sc.exe
    PID:2344
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" config "Autodesk Access Service Host" start= demand
  2⤵
  - Checks computer location settings
  PID:5028
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config "Autodesk Access Service Host" start= demand
    3⤵
    - Launches sc.exe
    PID:4564
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
  2⤵
  - Checks computer location settings
  PID:3624
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Autodesk\AdskIdentityManager\uninstall.exe" --mode unattended
    3⤵
    PID:4732
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
  2⤵
  - Checks computer location settings
  PID:1668
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\removeAdAppMgr.exe" --mode unattended
    3⤵
    PID:5112
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
  2⤵
  - Checks computer location settings
  PID:1492
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive )
    3⤵
    PID:4588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic product where name="Autodesk Single Sign On Component" call uninstall /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4972
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
  2⤵
  - Checks computer location settings
  PID:5116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Admin\AppData\Local\Autodesk\Genuine Autodesk Service\id.dat"
    3⤵
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
  2⤵
  - Checks computer location settings
  PID:3096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.pit" "ProductInformation.bak"
    3⤵
    PID:1984
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
  2⤵
  - Checks computer location settings
  PID:3008
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive )
    3⤵
    PID:4200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic product where name="Autodesk Genuine Service" call uninstall /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" stop AdskNLM
  2⤵
  - Checks computer location settings
  PID:3388
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" stop AdskNLM
    3⤵
    - Launches sc.exe
    PID:1976
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
  2⤵
  - Checks computer location settings
  PID:3876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c if exist "C:\Windows\System32\wbem\WMIC.exe" ( wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive ) else ( powershell.exe -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\delnowmic.ps1'" )
    3⤵
    PID:2656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic product where name="Autodesk Network License Manager" call uninstall /nointeractive
      4⤵
      PID:4848
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
  2⤵
  - Checks computer location settings
  PID:2716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ren "C:\ProgramData\Autodesk\Adlm\ProductInformation.bak" "ProductInformation.pit"
    3⤵
    PID:1192
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11-19-4-1-ipv4-ipv6-win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
  2⤵
  - Checks computer location settings
  PID:4972
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11-19-4-1-ipv4-ipv6-win64.msi" TRANSFORMS=nlm.mst INSTALLFOLDER="C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager" /qn
    3⤵
    PID:4588
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
  2⤵
  - Checks computer location settings
  PID:3160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
    3⤵
    PID:3612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:1540
  - - C:\Windows\system32\xcopy.exe
      xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
      4⤵
      Drops file in Program Files directory
      PID:3520
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
  2⤵
  - Checks computer location settings
  PID:4732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
    3⤵
    PID:3388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:232
  - - C:\Windows\system32\xcopy.exe
      xcopy /hkry "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager"
      4⤵
      Drops file in Program Files directory
      PID:3856
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
  2⤵
  - Checks computer location settings
  PID:1896
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" create AdskNLM binPath= "\"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe\"" start= auto depend= WinMgmt/+NetworkProvider obj= "NT AUTHORITY\LocalService" displayname= AdskNLM
    3⤵
    - Launches sc.exe
    PID:3672
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
  2⤵
  - Checks computer location settings
  PID:1880
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
    3⤵
    PID:860
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
  2⤵
  - Checks computer location settings
  PID:4848
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
    3⤵
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
  2⤵
  - Checks computer location settings
  PID:1908
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
    3⤵
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
  2⤵
  - Checks computer location settings
  PID:1664
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:4308
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
  2⤵
  - Checks computer location settings
  PID:4800
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Lmgrd" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" /f
    3⤵
    PID:4924
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
  2⤵
  - Checks computer location settings
  PID:2176
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "License" /d "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" /f
    3⤵
    PID:4704
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
  2⤵
  - Checks computer location settings
  PID:1932
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager\AdskNLM" /v "Service" /d "AdskNLM" /f
    3⤵
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
  2⤵
  - Checks computer location settings
  PID:1868
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\FLEXlm License Manager" /v "lmtools_LM_A_DISABLE_ENV" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "27080@localhost" /f
  2⤵
  - Checks computer location settings
  PID:2476
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\FLEXlm License Manager" /v "ADSKFLEX_LICENSE_FILE" /d "27080@localhost" /f
    3⤵
    PID:1672
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
  2⤵
  - Checks computer location settings
  PID:3624
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADAOptIn" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:4232
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
  2⤵
  - Checks computer location settings
  PID:4852
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "ADARePrompted" /t "REG_DWORD" /d "1" /f
    3⤵
    PID:1120
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "reg" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
  2⤵
  - Checks computer location settings
  PID:1044
- - C:\Windows\System32\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Autodesk\MC3" /v "OverridedByHKLM" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:1132
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
  2⤵
  - Checks computer location settings
  PID:1056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo D | xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
    3⤵
    PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo D "
      4⤵
      PID:4976
  - - C:\Windows\system32\xcopy.exe
      xcopy /y "C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json" "C:\Users\Admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent"
      4⤵
      PID:1356
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c find /c /i "genuine-software.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
  2⤵
  - Checks computer location settings
  PID:4780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c find /c /i "genuine-software.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Drops file in Drivers directory
    PID:4388
  - - C:\Windows\system32\find.exe
      find /c /i "genuine-software.autodesk.com" "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      PID:8
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c find /c /i "genuine-software1.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software1.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
  2⤵
  - Checks computer location settings
  PID:2472
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c find /c /i "genuine-software1.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software1.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Drops file in Drivers directory
    PID:2124
  - - C:\Windows\system32\find.exe
      find /c /i "genuine-software1.autodesk.com" "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      PID:4420
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c find /c /i "genuine-software2.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software2.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
  2⤵
  - Checks computer location settings
  PID:3180
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c find /c /i "genuine-software2.autodesk.com" "C:\Windows\system32\drivers\etc\hosts" || echo ^0.0.0.0 genuine-software2.autodesk.com >> "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Drops file in Drivers directory
    PID:1968
  - - C:\Windows\system32\find.exe
      find /c /i "genuine-software2.autodesk.com" "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      PID:2528
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "cmd" /c ipconfig /flushdns
  2⤵
  - Checks computer location settings
  PID:4580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /flushdns
    3⤵
    PID:1416
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /flushdns
      4⤵
      Gathers network information
      PID:3764
- C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe
  "C:\Users\Admin\AppData\Local\Temp\012e60b44219e9aa3c477f29490346ecc592acc69fbe91aaa172c8206d9e1c15.exe" -sfxwaitall:0 "sc" start AdskNLM
  2⤵
  - Checks computer location settings
  PID:908
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" start AdskNLM
    3⤵
    - Launches sc.exe
    PID:3468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9C7F6EEAC808941CCAD255299FB58B43
  2⤵
  - Loads dropped DLL
  PID:3096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A012A50944F67439C37DB232360F0BDF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C29AA7C9F2D37A5476CD22974E25CD28 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:908

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe"
1⤵
- Executes dropped EXE
PID:3552
- C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
  "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe" -c "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic" -z -s
  2⤵
  - Executes dropped EXE
  PID:408
- - C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe
    adskflex.exe -T Spdebjwh 11.19 -1 -c ";C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\licenses.lic;" -srv KkF2378sucSvWRGRmy7OEaVRUGFAIU4uNlbknuCDHP8BXlOmwWAgJlu2sjWBhKf --lmgrd_start 674f32e1 -vdrestart 0
    3⤵
    - Executes dropped EXE
    PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c102.rbs

Filesize
9KB

MD5
6dae6abd90cebd0f8fe0f418b299607a

SHA1
0a4e5ba70dbaa2f1fe5880be3e2209349719e5a8

SHA256
84aad3588546b5ba1c3bcb9f0af500050648f031e26cce7581bd482679b3254c

SHA512
0f5f68f85faecffdd737afbdab3aa34961ccaaea5bfcb03e02ad1c0485ff0b89c405063dc91a42e70cc908791ea2703e37369fa40435e6d513f1cbcafb63872f

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.rtf

Filesize
99KB

MD5
db9b6d0f44bc811c52314bf36f6328b2

SHA1
0dbe841933f5cf468b42db7eb6b0aae88292300d

SHA256
994dbb01d6e468706e7f783b609bc9948e05ddf55fb0c43333d55c09359064e8

SHA512
5679169d9baf3654fcd1b73a46914f4cbfe37bc177b2fc8a9d711a71aca6d96bbb08b1645d26b0c5a2855a2a8bd1ac748e47c24b2832a134fd3d1c085df52941

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\LicenseAdministration.pdf

Filesize
2.8MB

MD5
b2a5ae4e47d0af4c147e7e18fc2df586

SHA1
1488f395cb226c59ad79a1d44f0e6f4f04ad0183

SHA256
9a50fa1d2fde367fa21341364ca14836663a11057958743dfd8d661e311481b6

SHA512
31093cb835bc9ab707c92877a9ccc5da54c725ca686917d0eece05a8444bb102027cc8b877b07010cc2550d3dcb4560b1bd6eb7efef8a2884289167de198de7e

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe

Filesize
2.7MB

MD5
b19c8acbaea67f6c2a05335beef3ee1f

SHA1
535885c94b3289263c1e0f6f2228463919179ea8

SHA256
f90c004a9803c4c7cb13541a03f96bda1fa3d0dd37591bdc0e71b53ccba5f725

SHA512
cb3ca83c260a1d7bb101bb49198196668f7eb761f362c0f06c13233bec78a74694a8714af55497b9d0481c639d95da59a41628a03150f67db0429e98b2de55fb

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe

Filesize
1.3MB

MD5
5511d5d99c5b8d7c5147be9c0b4b9ba6

SHA1
87ecb85ee85857d8448b3dac3ae95128909cf2b6

SHA256
54c993ec37cdc90a8821edd3fc3fc44704c2de7a28db4efbb9f8a781b83cdbbf

SHA512
45600a7872381e1f75633406e2735d43f316ec715583de2555bc8ca35c09b2a77541135223362655b6208fa23da5184179ba1277d32cd1b43991c4b6ec84a44e

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmtools.exe

Filesize
1.5MB

MD5
58c91376ac43ef1e60a339c794132932

SHA1
50f8f91a31df2e3a6e86c0737f0e9e51953b3bcf

SHA256
899b30518b93ff451b4cc49e3d1b33f3a56909c430f4ad179825ca9a0b049593

SHA512
8e7845874d8d5655a76bf28903e9ef7623ad976867e62bb60cc55fc2338ff198d8901de8b81c4c02ec75f5b87890687ab59cce467d48de1a5e653efc2537bc79

Download Submit
C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmutil.exe

Filesize
1.4MB

MD5
795074805b95913a8edb4e7dcdd58715

SHA1
53f635038817c5866dd825897df87d21c8033310

SHA256
75d8c3fe59f5b9aaceb76e24fe1a44b805c65bbfcbfc489d66f9a479f1cf4425

SHA512
45f22452bf8d1aac0b658ce1afa57b014f4c9b14924110e03deb82474e84934d368be19e481b037c7f8a0e2e33835bd1dd38858c1f6b1ea0f1a9ed0558ee4edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\UnNamed.json

Filesize
408B

MD5
ba3088f87edfcceb1e084c971db40601

SHA1
ca755bec6d224f4ff0f966e30824bcbb3f5f2f3f

SHA256
e0371582686d18b48edb9e956057b52aa97de8c034ee79aab10ffb5331711651

SHA512
e2a61a4b5e160e85010dc195e0f86561b7479f388237af39bb9d0d1d07aa04320e3c71873f4aea40fb2e80c2803de994d5d87be07244705d0687dfb9833dad68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\adskflex.exe

Filesize
2.7MB

MD5
e974687b0135a662623056078a8e58e1

SHA1
d448155e737c544e1cce77fc44098809004b93e2

SHA256
82be4ec8ba546ebf1e3448976d06e163e9c4e258301cfceb9ce8a2d76ecbd6ae

SHA512
0c08d1a59692be0d313cfe22384236adc849fa22310afc1e4c680be57058f643309b9db708080cd7e320e22b15e47d5588fd112ada7a0576b908e7ac8d58d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\licenses.lic

Filesize
340KB

MD5
bb0cb674eab3b0efd851948a0a5ac03d

SHA1
671b0add6326a17ac00840d7c656d90abd33e4af

SHA256
b25e227dfc17a5b81505ed27a697f35e2f318b8ae88b1dc7bf4278995befe72a

SHA512
a626e5dc3496508c5d7c644de91b9b7bbc4053425599f5ae1919b8996439c7ea80d3c626ed032e537c62ee4f479fb275caf893da9cc916a53fc4f5f395dffee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm.mst

Filesize
20KB

MD5
29810bab1ef69a3d26872093ef09372b

SHA1
7909ffedce856814353a753bcf891085c4c0f03e

SHA256
90e413cd675ee085c441df6327f6661a3459f4e109e0684b1a361c050d672bdb

SHA512
f4c08df269e65accac37233cb6abe0d6c5ed6fa952bb11f4f77abaa628ef2301f85627fe3bf2a3a79d99f6dd841abe7629b74b13eab96cce48d1c82911d6f857

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\nlm11-19-4-1-ipv4-ipv6-win64.msi

Filesize
8.2MB

MD5
bbd4394d0c1d30fbf9ad4715ff217821

SHA1
971916842f2d6cbbb1fb7cd266fc0d31dca40079

SHA256
67ac43957233a6ebff216d0ff603b9d045583a6234c9a428f81b591b36a8fa71

SHA512
d2c086d589997548b4d83da078cf52ef83b2f6ac4f7aa7604d5c07b7d3cb998b381ebaba252e0880edae7ea0cf17de8ef86f70b4a6104c0cb72123d401cac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adsk-NLM\version.dll

Filesize
73KB

MD5
4c059805319a0bb6830c563e41d85918

SHA1
569cbf5401de4c378e7aac030c94430daef57b62

SHA256
c6a4426b196f19b0a456908b20a1b5fa6d2dae8cdb1ee7bc537f2842014ba6db

SHA512
e12a6ac84aa6a96965a092f09fcc7711ff3553c64b620a595ba1f1726377f7356e97d0ffa0dc8759d8217fd67a18b312e8c37c6441bbe9c438596742a0ad6b07

Download Submit
C:\Windows\Installer\MSIC2A4.tmp

Filesize
99KB

MD5
1dbd78917f6da40fcdf7078ef82e19b0

SHA1
7e9a89081db720025063330a78810021869393d9

SHA256
b6861d25bde12b74229db3a4796cb9a529512042cde0bc5ad0121b0576d672e4

SHA512
da46c5cb81e1b105bf51296513ae8ade8e35bb110895b3254b5241ccaff55cd5a7c3bfb93bd2d20c35222fce0649db96ca644a39934c1dfa35e9607cc03db6e6

Download Submit
C:\Windows\Installer\MSIC303.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
0bb03e00e363035dc54f0c5b068bc203

SHA1
d817a3f5a301eef9b5d1abea39ac10307c6528bb

SHA256
89efd1755623e9a2790796203f560fdb39fe89ec6879f7c6bde4b710e556aa05

SHA512
b4f72e92348d78f08fcad5d87dd877a13c48e6a45be4064bb49689a864915dda9bbd9f4cd7af5bc79ab08cf826c1108f1b5717a59caebc26689f77c022a3d938

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
504deec104e3337c8dd25d5ae2fd1226

SHA1
e73fe504e0c29d829421951b755b4122c12850d7

SHA256
0ad0fc4efd23b0cf964c2fe9cec0c4c28eb6647b49741a4370dd6e0ed22eeaff

SHA512
8072c33b8643791af79bb09b595943e29ba5e56df727239b2776eee1eb5441f776f50e3c234718c7a1591338f13a7efaa3a5e834ed87954e502a9cab1d534a29

Download Submit