File name:

Autodesk License Patcher Installer.exe

Full analysis: https://app.any.run/tasks/393a4f2f-6320-48bc-a0ed-51b1bc0ff8bc
Verdict: Malicious activity
Analysis date: February 15, 2024, 11:51:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

B95E7FB5FEF3504B33CA6D9BC12C74C5

SHA1:

0B9285E8F6BD0B728A8F597134C189B869546060

SHA256:

9533F268367B94A4AEF11613ED4D496E610785BBC16F2B9A39A52DEFFB6DA681

SSDEEP:

49152:tLSR+ZtEC+ywvoazhTVTFN6LS+w85Y4eYIpwFVobn36z2Fg08bj72oPtWrLbUJHu:BSQ4CahT70So57zIpwmnqSF1kXJUPgJO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3500)
      • net.exe (PID: 1824)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • xcopy.exe (PID: 240)
      • xcopy.exe (PID: 2000)
      • xcopy.exe (PID: 2904)
      • xcopy.exe (PID: 3324)
      • xcopy.exe (PID: 1644)
      • xcopy.exe (PID: 1768)

    • Starts CMD.EXE for commands execution

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • cmd.exe (PID: 3916)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 3916)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 3916)
      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3500)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 3500)

    • Application launched itself

      • cmd.exe (PID: 3916)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3500)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3500)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3500)

    • Reads security settings of Internet Explorer

      • Autodesk License Patcher Installer.exe (PID: 3864)

    • Reads the Internet Settings

      • Autodesk License Patcher Installer.exe (PID: 3864)

  • INFO

    • Checks supported languages

      • Autodesk License Patcher Installer.exe (PID: 3864)
      • mode.com (PID: 2232)
      • chcp.com (PID: 2580)
      • mode.com (PID: 3892)
      • chcp.com (PID: 3664)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 240)
      • xcopy.exe (PID: 2904)
      • xcopy.exe (PID: 2000)
      • xcopy.exe (PID: 1768)
      • xcopy.exe (PID: 1644)
      • xcopy.exe (PID: 3324)

    • Reads the computer name

      • Autodesk License Patcher Installer.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 176128
UninitializedDataSize: 258048
EntryPoint: 0x4cf60
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: -
FileDescription: -
LegalCopyright: -
LegalTrademarks: -
InternalName: -
ProductName: -
OriginalFileName: -
FileVersion: -
ProductVersion: -
Comments: -
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
36
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start autodesk license patcher installer.exe cmd.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs cmd.exe chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs ping.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs powershell.exe no specs regedit.exe no specs ping.exe no specs xcopy.exe xcopy.exe xcopy.exe no specs xcopy.exe xcopy.exe xcopy.exe xcopy.exe xcopy.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
492Powershell -nop -c "Get-WmiObject -Query ' select * from Win32_Product where Name like \"%Autodesk Network License Manager%\" ' | ForEach-Object { ($_).Uninstall()}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
748taskkill /F /IM "AdskLicensingAgent.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1340taskkill /F /IM "adskflex.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1572taskkill /F /IM "AdskLicensingAnalyticsClient.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1576taskkill /F /IM "AdskLicensingInstHelper.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1576xcopy "C:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.json" "C:\Users\admin\AppData\Roaming\Autodesk\ADPSDK\UserConsent\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1644xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1768xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dll" "\Autodesk Shared\Adlm\R28\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1824net stop AdskLicensingService C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
Total events
6 536
Read events
6 528
Write events
8
Delete events
0

Modification events

(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3864) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
11
Suspicious files
4
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xmlxml
MD5:DBFED3FF9DC6CA06E2CF0E2E63098D66
SHA256:409A178ED9B9C0929FD9F3B8C3A58AFD1B3370C53BAF49B4956CF9A79F50D398
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exeexecutable
MD5:C00B8B7B1C084718EC5D63A53AEFB1EB
SHA256:05B24756D46CE216C84878DDDC97EF9E2EEB6ECA8EC12C97E780C4D0EEF63731
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lictext
MD5:6F7171985974EFE30D7A8FB99EC78587
SHA256:973FE3EE3BCE97A4A2A63E92710E706306E97FCD236345EF0D0C967E3996A722
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.jsonbinary
MD5:BA3088F87EDFCCEB1E084C971DB40601
SHA256:E0371582686D18B48EDB9E956057B52AA97DE8C034EE79AAB10FFB5331711651
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dllexecutable
MD5:5C51CC926C76B23830D27A97445BF734
SHA256:655181D13D9707500BF77FF88B0B6C2595459B475ADE7B919A2B1E00402C1CEB
492powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exeexecutable
MD5:219F8CEBEF26F1373062357B2F4A8489
SHA256:CF025ECFB3556E334DDE501B95485998DE9E1B6A06CCBD56FFA1345D6B5A3973
3864Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dllexecutable
MD5:51F0E19B4CF164ECBA9A006C4CF3B2A5
SHA256:6F13E52D797A732435C8BB456BE08C64D0B6FADEA29F85486F4B44559D6CC95F
240xcopy.exeC:\Autodesk Shared\Network License Manager\adskflex.exeexecutable
MD5:C00B8B7B1C084718EC5D63A53AEFB1EB
SHA256:05B24756D46CE216C84878DDDC97EF9E2EEB6ECA8EC12C97E780C4D0EEF63731
2000xcopy.exeC:\Autodesk Shared\Network License Manager\lmgrd.exeexecutable
MD5:219F8CEBEF26F1373062357B2F4A8489
SHA256:CF025ECFB3556E334DDE501B95485998DE9E1B6A06CCBD56FFA1345D6B5A3973
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Autodesk License Patcher Installer.exe