File name:

Autodesk License Patcher Installer.exe

Full analysis: https://app.any.run/tasks/f8ca408b-e554-4c52-b777-b2e73e750988
Verdict: Malicious activity
Analysis date: April 13, 2024, 15:14:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

282B3086E5F89DE07E02100C1AAD4B08

SHA1:

C2D6B76E04501D75E7FB514F71B35CCDFF86C255

SHA256:

037CF74D48A8DD53326814B9E6C17ECAD77E4499FD2DC60761CC044EF0D3724C

SSDEEP:

24576:Lrr/9I2rDc30x5tUewSFYndCfeI+GajylnGhj9EirEuaXmSmmzpITG:LHpzxbUJndWeMln8FrmXmSmaITG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Autodesk License Patcher Installer.exe (PID: 3956)

    • Starts NET.EXE for service management

      • net.exe (PID: 1368)
      • cmd.exe (PID: 3684)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2128)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2760)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Autodesk License Patcher Installer.exe (PID: 3956)
      • xcopy.exe (PID: 3984)
      • xcopy.exe (PID: 3976)
      • xcopy.exe (PID: 2632)
      • xcopy.exe (PID: 1784)
      • xcopy.exe (PID: 2040)
      • xcopy.exe (PID: 3496)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 3684)

    • Application launched itself

      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 3684)

    • Executing commands from a ".bat" file

      • Autodesk License Patcher Installer.exe (PID: 3956)
      • cmd.exe (PID: 2856)

    • Starts CMD.EXE for commands execution

      • Autodesk License Patcher Installer.exe (PID: 3956)
      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 3684)

    • Reads security settings of Internet Explorer

      • Autodesk License Patcher Installer.exe (PID: 3956)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 3684)

    • Reads the Internet Settings

      • Autodesk License Patcher Installer.exe (PID: 3956)

    • Process copies executable file

      • cmd.exe (PID: 3684)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3684)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3684)
      • cmd.exe (PID: 2128)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3684)
      • cmd.exe (PID: 2128)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3684)

    • Probably file/command deobfuscation

      • cmd.exe (PID: 2128)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 3684)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 3684)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3684)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 3684)

    • Process uses powershell cmdlet to discover network configuration

      • cmd.exe (PID: 2128)

  • INFO

    • Checks supported languages

      • Autodesk License Patcher Installer.exe (PID: 3956)
      • chcp.com (PID: 3960)
      • mode.com (PID: 116)
      • chcp.com (PID: 2148)
      • mode.com (PID: 3776)

    • Reads the computer name

      • Autodesk License Patcher Installer.exe (PID: 3956)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 2632)
      • xcopy.exe (PID: 3984)
      • xcopy.exe (PID: 3976)
      • xcopy.exe (PID: 2040)
      • xcopy.exe (PID: 1784)
      • xcopy.exe (PID: 3496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 176128
UninitializedDataSize: 258048
EntryPoint: 0x4cf60
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: -
FileDescription: -
LegalCopyright: -
LegalTrademarks: -
InternalName: -
ProductName: -
OriginalFileName: -
FileVersion: -
ProductVersion: -
Comments: -
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
61
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start autodesk license patcher installer.exe cmd.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs cmd.exe chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs ping.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs powershell.exe no specs regedit.exe no specs ping.exe no specs xcopy.exe xcopy.exe xcopy.exe no specs xcopy.exe xcopy.exe xcopy.exe xcopy.exe xcopy.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs ping.exe no specs sc.exe no specs schtasks.exe no specs schtasks.exe no specs ping.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116mode con: cols=70 lines=15 C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DOS Device MODE Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
480taskkill /F /IM "lmutil.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
572ping 127.0.0.1 -n 5 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
840xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
908netsh advfirewall firewall add rule name="Blocked C:\Autodesk Shared\Network License Manager\adskflex.exe" dir=in action=block profile=any program="C:\Autodesk Shared\Network License Manager\adskflex.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1028netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="\Autodesk Shared\Network License Manager\lmgrd.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1264schtasks.exe /Create /XML C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml /tn "\Microsoft\Windows\Autodesk\Autodesk" C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1308C:\Windows\system32\net1 stop AdskLicensingService C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1368net stop AdskLicensingService C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1376netsh advfirewall firewall delete rule name="Blocked C:\Autodesk Shared\Network License Manager\adskflex.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
6 887
Read events
6 879
Write events
8
Delete events
0

Modification events

(PID) Process:(3956) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3956) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3956) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3956) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
11
Suspicious files
9
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xmlxml
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.jsonbinary
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.regtext
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.battext
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lictext
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exeexecutable
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exeexecutable
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dllexecutable
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Service\Service.exeexecutable
MD5:
SHA256:
3956Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Autodesk License Patcher Installer.exe