File name:

Autodesk License Patcher Installer.exe

Full analysis: https://app.any.run/tasks/393a4f2f-6320-48bc-a0ed-51b1bc0ff8bc
Verdict: Malicious activity
Analysis date: February 15, 2024, 11:51:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

B95E7FB5FEF3504B33CA6D9BC12C74C5

SHA1:

0B9285E8F6BD0B728A8F597134C189B869546060

SHA256:

9533F268367B94A4AEF11613ED4D496E610785BBC16F2B9A39A52DEFFB6DA681

SSDEEP:

49152:tLSR+ZtEC+ywvoazhTVTFN6LS+w85Y4eYIpwFVobn36z2Fg08bj72oPtWrLbUJHu:BSQ4CahT70So57zIpwmnqSF1kXJUPgJO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3500)
      • net.exe (PID: 1824)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • cmd.exe (PID: 3916)

    • Executable content was dropped or overwritten

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • xcopy.exe (PID: 240)
      • xcopy.exe (PID: 2000)
      • xcopy.exe (PID: 2904)
      • xcopy.exe (PID: 1644)
      • xcopy.exe (PID: 3324)
      • xcopy.exe (PID: 1768)

    • Reads security settings of Internet Explorer

      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Executing commands from a ".bat" file

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • cmd.exe (PID: 3916)

    • Reads the Internet Settings

      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 3500)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 3500)

    • Application launched itself

      • cmd.exe (PID: 3916)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3500)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3500)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3500)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3500)

  • INFO

    • Checks supported languages

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • mode.com (PID: 3892)
      • chcp.com (PID: 3664)
      • chcp.com (PID: 2580)
      • mode.com (PID: 2232)

    • Reads the computer name

      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 2000)
      • xcopy.exe (PID: 2904)
      • xcopy.exe (PID: 240)
      • xcopy.exe (PID: 1644)
      • xcopy.exe (PID: 3324)
      • xcopy.exe (PID: 1768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 176128
UninitializedDataSize: 258048
EntryPoint: 0x4cf60
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: -
FileDescription: -
LegalCopyright: -
LegalTrademarks: -
InternalName: -
ProductName: -
OriginalFileName: -
FileVersion: -
ProductVersion: -
Comments: -
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
36
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start autodesk license patcher installer.exe cmd.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs cmd.exe chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs ping.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs powershell.exe no specs regedit.exe no specs ping.exe no specs xcopy.exe xcopy.exe xcopy.exe no specs xcopy.exe xcopy.exe xcopy.exe xcopy.exe xcopy.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
492Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
748taskkill /F /IM "AdskLicensingAgent.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1340taskkill /F /IM "adskflex.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1572taskkill /F /IM "AdskLicensingAnalyticsClient.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1576taskkill /F /IM "AdskLicensingInstHelper.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1576xcopy "C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json" "C:\Users\admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1644xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1768xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "\Autodesk Shared\Adlm\R28\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1824net stop AdskLicensingService C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
Total events
6 536
Read events
6 528
Write events
8
Delete events
0

Modification events

(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
11
Suspicious files
4
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lictext
MD5:6F7171985974EFE30D7A8FB99EC78587
SHA256:973FE3EE3BCE97A4A2A63E92710E706306E97FCD236345EF0D0C967E3996A722
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.battext
MD5:EE34A40FC63D11A232F59F9AD270C0E8
SHA256:954F2F867E25511DF30BD119D2714F1DA7B01F49D9391651AA6BEB29B86D7E9D
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.jsonbinary
MD5:BA3088F87EDFCCEB1E084C971DB40601
SHA256:E0371582686D18B48EDB9E956057B52AA97DE8C034EE79AAB10FFB5331711651
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exeexecutable
MD5:C00B8B7B1C084718EC5D63A53AEFB1EB
SHA256:05B24756D46CE216C84878DDDC97EF9E2EEB6ECA8EC12C97E780C4D0EEF63731
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xmlxml
MD5:DBFED3FF9DC6CA06E2CF0E2E63098D66
SHA256:409A178ED9B9C0929FD9F3B8C3A58AFD1B3370C53BAF49B4956CF9A79F50D398
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dllexecutable
MD5:5C51CC926C76B23830D27A97445BF734
SHA256:655181D13D9707500BF77FF88B0B6C2595459B475ADE7B919A2B1E00402C1CEB
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Service\Service.exeexecutable
MD5:C944E7122CA3F75139661B05A7985A57
SHA256:87CF3AFABAC4A8F0881F8C96D5E64B4A8C1A67E05A8351AD9A451C6301FBE5E4
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dllexecutable
MD5:51F0E19B4CF164ECBA9A006C4CF3B2A5
SHA256:6F13E52D797A732435C8BB456BE08C64D0B6FADEA29F85486F4B44559D6CC95F
492powershell.exeC:\Users\admin\AppData\Local\Temp\gat5mm4p.nuw.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2296xcopy.exeC:\Autodesk Shared\Network License Manager\License.lictext
MD5:6F7171985974EFE30D7A8FB99EC78587
SHA256:973FE3EE3BCE97A4A2A63E92710E706306E97FCD236345EF0D0C967E3996A722
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Autodesk License Patcher Installer.exe