Malware analysis Autodesk License Patcher Installer.exe Malicious activity

Add for printing

File name:	Autodesk License Patcher Installer.exe
Full analysis:	https://app.any.run/tasks/256ec339-c4bd-4d4b-8002-878d0b3be248
Verdict:	Malicious activity
Analysis date:	October 14, 2024, 18:57:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	E00DF93BC81B91BA6F8143E41DE92C72
SHA1:	2D88C9A73139C36F390CB2E82343367F395A83D5
SHA256:	6A065F06DC81E9BBCD26CA027463B9BE99678887870F988180A4EB68EBACE5B7
SSDEEP:	24576:Lrr/992rDc30x5tUewSFYndCfeI+GajylnGhj9EirEuaXmSmmzpITG:LHezxbUJndWeMln8FrmXmSmaITG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - cmd.exe (PID: 5220)
  - net.exe (PID: 5236)
  - net.exe (PID: 6240)
  - cmd.exe (PID: 3848)
  - net.exe (PID: 1372)
  - net.exe (PID: 6768)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 5788)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6860)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 5220)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Autodesk License Patcher Installer.exe (PID: 6220)
- Executing commands from a ".bat" file
  - Autodesk License Patcher Installer.exe (PID: 6220)
  - cmd.exe (PID: 6436)
  - Service.exe (PID: 1764)
- Starts application with an unusual extension
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 3848)
- Starts CMD.EXE for commands execution
  - Autodesk License Patcher Installer.exe (PID: 6220)
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 6436)
  - Service.exe (PID: 1764)
- Executable content was dropped or overwritten
  - Autodesk License Patcher Installer.exe (PID: 6220)
  - xcopy.exe (PID: 5980)
  - xcopy.exe (PID: 6268)
  - xcopy.exe (PID: 5068)
  - xcopy.exe (PID: 4432)
  - xcopy.exe (PID: 2132)
  - xcopy.exe (PID: 7048)
- Application launched itself
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 5220)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 3848)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 3848)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 3848)
- Probably file/command deobfuscation
  - cmd.exe (PID: 5788)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 5788)
- Process copies executable file
  - cmd.exe (PID: 5220)
- Probably obfuscated PowerShell command line is found
  - cmd.exe (PID: 5788)
  - cmd.exe (PID: 5220)
- Process uses powershell cmdlet to discover network configuration
  - cmd.exe (PID: 5788)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 624)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 5788)
  - cmd.exe (PID: 5220)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 5220)
INFO
- Reads the computer name
  - Autodesk License Patcher Installer.exe (PID: 6220)
- Process checks computer location settings
  - Autodesk License Patcher Installer.exe (PID: 6220)
- Changes the display of characters in the console
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 3848)
- Checks supported languages
  - chcp.com (PID: 5580)
  - chcp.com (PID: 6708)
  - mode.com (PID: 6680)
  - mode.com (PID: 6548)
  - Autodesk License Patcher Installer.exe (PID: 6220)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 6548)
  - mode.com (PID: 6680)
  - mode.com (PID: 6864)
- The process uses the downloaded file
  - cmd.exe (PID: 6436)
  - Autodesk License Patcher Installer.exe (PID: 6220)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:12:31 00:38:38+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	57344
InitializedDataSize:	176128
UninitializedDataSize:	258048
EntryPoint:	0x4cf60
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	Russian
CharacterSet:	Unicode
CompanyName:	-
FileDescription:	-
LegalCopyright:	-
LegalTrademarks:	-
InternalName:	-
ProductName:	-
OriginalFileName:	-
FileVersion:	-
ProductVersion:	-
Comments:	-
PrivateBuild:	-
SpecialBuild:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

216

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

624

schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f

C:\Windows\SysWOW64\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1008

C:\WINDOWS\system32\net1 start AdskLicensingService

C:\Windows\SysWOW64\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

1112

taskkill /F /IM "AdskLicensingService.exe"

C:\Windows\SysWOW64\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1252

xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i

C:\Windows\SysWOW64\xcopy.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Extended Copy Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1344

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1372

net start AdskLicensingService

C:\Windows\SysWOW64\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1588

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1752

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1764

"C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe"

C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe

—

cmd.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files (x86)\common files\autodesk shared\network license manager\service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1792

taskkill /F /IM "lmgrd.exe"

C:\Windows\SysWOW64\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

21 086

Read events

21 047

Write events

Delete events

Modification events


(PID) Process:	(6436) cmd.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\system32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(6436) cmd.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\system32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(7144) regedit.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Autodesk\MC3
Operation:	write	Name:	OverridedByHKLM
Value: 0
(PID) Process:	(7144) regedit.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Autodesk\MC3
Operation:	write	Name:	ADAOptIn
Value: 0
(PID) Process:	(7144) regedit.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Autodesk\MC3
Operation:	write	Name:	ADARePrompted
Value: 1
(PID) Process:	(7144) regedit.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\FLEXlm License Manager
Operation:	write	Name:	ADSKFLEX_LICENSE_FILE
Value: @LOCALHOST
(PID) Process:	(7144) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager
Operation:	write	Name:	lmtools_LM_A_DISABLE_ENV
Value: 1
(PID) Process:	(7144) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager
Operation:	write	Name:	Service
Value: Flexlm Service
(PID) Process:	(7144) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Flexlm Service
Operation:	write	Name:	Lmgrd
Value: C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe
(PID) Process:	(7144) regedit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\FLEXlm License Manager\Flexlm Service
Operation:	write	Name:	LMGRD_LOG_FILE
Value: C:\ProgramData\FLEXlm\lmgrd\debug.log

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6220	Autodesk License Patcher Installer.exe	C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic		text
		MD5:4B8D39889C5F1B4AF558825A8D2A39C8	SHA256:3763150DABEA1CC048F122043D4F0FA1FCBE1BB385EF4580FC8AF428EB818F03
5980	xcopy.exe	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe		executable
		MD5:C00B8B7B1C084718EC5D63A53AEFB1EB	SHA256:05B24756D46CE216C84878DDDC97EF9E2EEB6ECA8EC12C97E780C4D0EEF63731
1252	xcopy.exe	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\License.lic		text
		MD5:4B8D39889C5F1B4AF558825A8D2A39C8	SHA256:3763150DABEA1CC048F122043D4F0FA1FCBE1BB385EF4580FC8AF428EB818F03
5068	xcopy.exe	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.exe		executable
		MD5:C944E7122CA3F75139661B05A7985A57	SHA256:87CF3AFABAC4A8F0881F8C96D5E64B4A8C1A67E05A8351AD9A451C6301FBE5E4
6268	xcopy.exe	C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe		executable
		MD5:219F8CEBEF26F1373062357B2F4A8489	SHA256:CF025ECFB3556E334DDE501B95485998DE9E1B6A06CCBD56FFA1345D6B5A3973
6220	Autodesk License Patcher Installer.exe	C:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xml		xml
		MD5:DBFED3FF9DC6CA06E2CF0E2E63098D66	SHA256:409A178ED9B9C0929FD9F3B8C3A58AFD1B3370C53BAF49B4956CF9A79F50D398
6220	Autodesk License Patcher Installer.exe	C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json		binary
		MD5:BA3088F87EDFCCEB1E084C971DB40601	SHA256:E0371582686D18B48EDB9E956057B52AA97DE8C034EE79AAB10FFB5331711651
5588	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1tuthoqs.bfm.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6220	Autodesk License Patcher Installer.exe	C:\AutodeskLicensePatcherInstaller\Files\Service\Service.exe		executable
		MD5:C944E7122CA3F75139661B05A7985A57	SHA256:87CF3AFABAC4A8F0881F8C96D5E64B4A8C1A67E05A8351AD9A451C6301FBE5E4
5588	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:19C45F30C058FF1009C50ADE9A3BB542	SHA256:2815E7F19F3B935070D2758149380F725CD68293A2C5E100DCDF51C0CE505E1C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	2.21.20.146:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6248	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6492	WmiPrvSE.exe	GET	200	2.16.164.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
632	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6492	WmiPrvSE.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
6248	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6492	WmiPrvSE.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl	unknown	—	—	whitelisted
6492	WmiPrvSE.exe	GET	200	2.16.164.114:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1588	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6944	svchost.exe	2.21.20.146:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4360	SearchApp.exe	2.23.209.189:443	www.bing.com	Akamai International B.V.	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208 51.104.136.2	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	2.21.20.146 2.21.20.139 2.16.164.114 2.16.164.106	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
www.bing.com	2.23.209.189 2.23.209.179 2.23.209.176 2.23.209.185 2.23.209.158 2.23.209.130 2.23.209.133 2.23.209.187 2.23.209.182	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.68 20.190.159.73 20.190.159.0 40.126.31.69 20.190.159.71 20.190.159.23 40.126.31.73 20.190.159.2	whitelisted
th.bing.com	2.23.209.135 2.23.209.185 2.23.209.133 2.23.209.187 2.23.209.189 2.23.209.130 2.23.209.150 2.23.209.179 2.23.209.182	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Autodesk License Patcher Installer.exe

E00DF93BC81B91BA6F8143E41DE92C72

2D88C9A73139C36F390CB2E82343367F395A83D5

6A065F06DC81E9BBCD26CA027463B9BE99678887870F988180A4EB68EBACE5B7

24576:Lrr/992rDc30x5tUewSFYndCfeI+GajylnGhj9EirEuaXmSmmzpITG:LHezxbUJndWeMln8FrmXmSmaITG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Uses Task Scheduler to run other applications

SUSPICIOUS

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

Starts application with an unusual extension

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Runs PING.EXE to delay simulation

Uses TASKKILL.EXE to kill process

Probably file/command deobfuscation

Starts POWERSHELL.EXE for commands execution

Process copies executable file

Probably obfuscated PowerShell command line is found

Process uses powershell cmdlet to discover network configuration

Deletes scheduled task without confirmation

The process bypasses the loading of PowerShell profile settings

Uses NETSH.EXE to add a firewall rule or allowed programs

INFO

Reads the computer name

Process checks computer location settings

Changes the display of characters in the console

Checks supported languages

Starts MODE.COM to configure console settings

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats