File name:

Autodesk License Patcher Installer.exe

Full analysis: https://app.any.run/tasks/f1667c72-543b-4489-9aa8-f71f5a948365
Verdict: Malicious activity
Analysis date: December 28, 2023, 10:02:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

BF0FDF0D95C036AB6D7EF4288E40457A

SHA1:

43750C4A571C1AC2997FC841E2373FA97A9DBF79

SHA256:

9F6C153D4498CF4E8FEA9209E748E53F4B01C7F50359028D7E919792564ECA86

SSDEEP:

49152:tLSR+qIEC+ywvoazhTVTFN6LS+w85Y4eYIpwFVobn36z2Fg08bj72oPtWrLbUJH/:BSQ+CahT70So57zIpwmnqSF1kXJUPgJf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 1728)
      • cmd.exe (PID: 1836)
      • net.exe (PID: 3320)
      • net.exe (PID: 4084)
      • cmd.exe (PID: 3524)
      • net.exe (PID: 1392)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2632)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1836)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1844)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • Autodesk License Patcher Installer.exe (PID: 2044)
      • cmd.exe (PID: 1356)
      • Service.exe (PID: 3452)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 3524)

    • Reads the Internet Settings

      • Autodesk License Patcher Installer.exe (PID: 2044)
      • powershell.exe (PID: 2632)
      • Service.exe (PID: 3452)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1356)
      • Autodesk License Patcher Installer.exe (PID: 2044)
      • cmd.exe (PID: 1836)
      • Service.exe (PID: 3452)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 3524)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 3524)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1844)
      • cmd.exe (PID: 1836)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 1844)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 3524)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 1844)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 2632)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 1836)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 1836)

    • Process uses powershell cmdlet to discover network configuration

      • cmd.exe (PID: 1844)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1836)

  • INFO

    • Checks supported languages

      • Autodesk License Patcher Installer.exe (PID: 2044)
      • mode.com (PID: 2088)
      • chcp.com (PID: 324)
      • chcp.com (PID: 1236)
      • mode.com (PID: 1972)
      • msiexec.exe (PID: 2788)
      • chcp.com (PID: 3508)
      • Service.exe (PID: 3452)
      • mode.com (PID: 3696)

    • Drops the executable file immediately after the start

      • Autodesk License Patcher Installer.exe (PID: 2044)
      • xcopy.exe (PID: 1656)
      • xcopy.exe (PID: 2340)
      • xcopy.exe (PID: 1824)
      • xcopy.exe (PID: 1784)
      • xcopy.exe (PID: 1540)
      • xcopy.exe (PID: 1728)

    • Reads the computer name

      • Autodesk License Patcher Installer.exe (PID: 2044)
      • msiexec.exe (PID: 2788)
      • Service.exe (PID: 3452)

    • Application launched itself

      • cmd.exe (PID: 1356)
      • cmd.exe (PID: 1836)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 2788)

    • Creates files or folders in the user directory

      • xcopy.exe (PID: 2304)

    • Creates files in the program directory

      • Service.exe (PID: 3452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 01:38:38+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 176128
UninitializedDataSize: 258048
EntryPoint: 0x4cf60
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: -
FileDescription: -
LegalCopyright: -
LegalTrademarks: -
InternalName: -
ProductName: -
OriginalFileName: -
FileVersion: -
ProductVersion: -
Comments: -
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
86
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start autodesk license patcher installer.exe no specs cmd.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs cmd.exe chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs ping.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs powershell.exe no specs msiexec.exe no specs regedit.exe no specs ping.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs ping.exe no specs sc.exe no specs schtasks.exe no specs schtasks.exe no specs ping.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs ping.exe no specs net.exe no specs net1.exe no specs ping.exe no specs service.exe no specs cmd.exe no specs ping.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324chcp 1254 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
584regedit.exe /s "C:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.reg" C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
844ping 127.0.0.1 -n 5 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
920ping 127.0.0.1 -n 5 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
952netsh advfirewall firewall delete rule name="Blocked C:\Autodesk Shared\Network License Manager\adskflex.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
984sc config "AdskLicensingService" Start= Auto C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1016taskkill /F /IM "AdskLicensingAnalyticsClient.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1192netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="\Autodesk Shared\Network License Manager\lmgrd.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1236chcp 1254 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1356C:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "C:\Windows\System32\cmd.exeAutodesk License Patcher Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
13 540
Read events
12 780
Write events
760
Delete events
0

Modification events

(PID) Process:(2044) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2044) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2044) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2044) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2632) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2632) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2632) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2632) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1812) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1192) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
11
Suspicious files
10
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xmlxml
MD5:DBFED3FF9DC6CA06E2CF0E2E63098D66
SHA256:409A178ED9B9C0929FD9F3B8C3A58AFD1B3370C53BAF49B4956CF9A79F50D398
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.battext
MD5:EE34A40FC63D11A232F59F9AD270C0E8
SHA256:954F2F867E25511DF30BD119D2714F1DA7B01F49D9391651AA6BEB29B86D7E9D
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Tweak\Tweak.regtext
MD5:2859C8E3C69A5D627C88B6E695EA3A2E
SHA256:C41C2D93CA317CC19AA49C48DCF681D1074DCA34695A061202C202BE62DB3745
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Tweak\UnNamed.jsonbinary
MD5:BA3088F87EDFCCEB1E084C971DB40601
SHA256:E0371582686D18B48EDB9E956057B52AA97DE8C034EE79AAB10FFB5331711651
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exeexecutable
MD5:C00B8B7B1C084718EC5D63A53AEFB1EB
SHA256:05B24756D46CE216C84878DDDC97EF9E2EEB6ECA8EC12C97E780C4D0EEF63731
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exeexecutable
MD5:219F8CEBEF26F1373062357B2F4A8489
SHA256:CF025ECFB3556E334DDE501B95485998DE9E1B6A06CCBD56FFA1345D6B5A3973
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\netapi32.dllexecutable
MD5:5C51CC926C76B23830D27A97445BF734
SHA256:655181D13D9707500BF77FF88B0B6C2595459B475ADE7B919A2B1E00402C1CEB
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dllexecutable
MD5:51F0E19B4CF164ECBA9A006C4CF3B2A5
SHA256:6F13E52D797A732435C8BB456BE08C64D0B6FADEA29F85486F4B44559D6CC95F
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lictext
MD5:26F3D6DF8657CD5CDBDC14516A5FE90E
SHA256:FABC5525D24DCCD6C72067A7E0D41BB9286852E2F0325C32C7A63FC0B1E49E97
2044Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Service\Service.exeexecutable
MD5:C944E7122CA3F75139661B05A7985A57
SHA256:87CF3AFABAC4A8F0881F8C96D5E64B4A8C1A67E05A8351AD9A451C6301FBE5E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Autodesk License Patcher Installer.exe