File name:

Autodesk License Patcher Installer.exe

Full analysis: https://app.any.run/tasks/baf3681f-5cc9-4e2e-8318-78dffd6a6320
Verdict: Malicious activity
Analysis date: November 20, 2023, 23:04:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

A5203927A840CD75BD807BC80A5F5C64

SHA1:

B1C91369066608F4B97D82B677EBBB517F1DEF65

SHA256:

DCA748FD092CAE601888CAD7CAEB986A79853EAD5471DE96689E1C54AE9CB6E1

SSDEEP:

24576:Lrr/9w9JpeSkiOMs25mI2rDc30x5tUewSFYndCfeI+GajylnGhj9EirjI:LH2LUSkOp50zxbUJndWeMln8Frc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Autodesk License Patcher Installer.exe (PID: 3428)

    • Starts NET.EXE for service management

      • net.exe (PID: 3948)
      • cmd.exe (PID: 3488)
      • net.exe (PID: 3248)
      • cmd.exe (PID: 3460)
      • net.exe (PID: 3464)
      • net.exe (PID: 4032)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3488)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Autodesk License Patcher Installer.exe (PID: 3428)
      • cmd.exe (PID: 3456)
      • cmd.exe (PID: 3488)
      • wscript.exe (PID: 2696)

    • Reads the Internet Settings

      • Autodesk License Patcher Installer.exe (PID: 3428)
      • WMIC.exe (PID: 2324)
      • WMIC.exe (PID: 2388)
      • wscript.exe (PID: 2696)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3456)
      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3460)

    • Executing commands from a ".bat" file

      • Autodesk License Patcher Installer.exe (PID: 3428)
      • cmd.exe (PID: 3456)
      • wscript.exe (PID: 2696)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3456)
      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3460)

    • Application launched itself

      • cmd.exe (PID: 3456)
      • cmd.exe (PID: 3488)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3460)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3460)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3488)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3460)

    • Powershell version downgrade attack

      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 1116)
      • powershell.exe (PID: 3660)

    • Uses WMIC.EXE

      • cmd.exe (PID: 2336)
      • cmd.exe (PID: 1936)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3488)

    • The process executes VB scripts

      • cmd.exe (PID: 3488)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2696)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 3488)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 3488)

  • INFO

    • Checks supported languages

      • Autodesk License Patcher Installer.exe (PID: 3428)
      • chcp.com (PID: 3140)
      • mode.com (PID: 3540)
      • chcp.com (PID: 3688)
      • mode.com (PID: 3656)
      • msiexec.exe (PID: 1808)
      • chcp.com (PID: 3544)
      • mode.com (PID: 2896)

    • Reads the computer name

      • Autodesk License Patcher Installer.exe (PID: 3428)
      • msiexec.exe (PID: 1808)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 3552)
      • xcopy.exe (PID: 1604)
      • xcopy.exe (PID: 1820)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 01:38:38+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 176128
UninitializedDataSize: 258048
EntryPoint: 0x4cf60
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: -
FileDescription: -
LegalCopyright: -
LegalTrademarks: -
InternalName: -
ProductName: -
OriginalFileName: -
FileVersion: -
ProductVersion: -
Comments: -
PrivateBuild: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
89
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start autodesk license patcher installer.exe no specs cmd.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs cmd.exe chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs ping.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs msiexec.exe no specs msiexec.exe no specs ping.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs xcopy.exe no specs ping.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs cmd.exe no specs hostname.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe no specs ping.exe no specs sc.exe no specs schtasks.exe no specs schtasks.exe no specs ping.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs ping.exe no specs net.exe no specs net1.exe no specs ping.exe no specs wscript.exe no specs cmd.exe no specs ping.exe no specs chcp.com no specs mode.com no specs reg.exe no specs fltmc.exe no specs ping.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs net.exe no specs net1.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280netsh advfirewall firewall add rule name="AutodeskNLM" dir=out action=block profile=any program="\Autodesk Shared\Network License Manager\adskflex.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
284C:\Windows\system32\cmd.exe /c hostnameC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
300taskkill /F /IM "lmtools.exe" C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
316ping 127.0.0.1 -n 5 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
556xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.bat" "\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
860netsh advfirewall firewall add rule name="Blocked C:\Autodesk Shared\Network License Manager\adskflex.exe" dir=out action=block profile=any program="C:\Autodesk Shared\Network License Manager\adskflex.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1116powershell -Command "(gc License.lic) -replace 'MAC', '12A9866C77DE ' -replace 'HOSTNAME', 'User-PC' | Out-File -encoding ASCII License.lic" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1228netsh advfirewall firewall add rule name="AutodeskNLM" dir=in action=block profile=any program="\Autodesk Shared\Network License Manager\lmgrd.exe" C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1344xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbs" "\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
1364xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i C:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
Total events
13 485
Read events
12 776
Write events
709
Delete events
0

Modification events

(PID) Process:(3428) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3428) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3428) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3428) Autodesk License Patcher Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1996) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Operation:writeName:RegisteredOwner
Value:
admin
(PID) Process:(1944) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1116) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1584) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1228) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(280) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
6
Suspicious files
9
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dllexecutable
MD5:51F0E19B4CF164ECBA9A006C4CF3B2A5
SHA256:6F13E52D797A732435C8BB456BE08C64D0B6FADEA29F85486F4B44559D6CC95F
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Task\Autodesk.xmlxml
MD5:53067581F721F8C3659FED0EBE619E79
SHA256:35C8E66648CCC4A10689B7DCB78345CC857A03140CC91084679736E03798F624
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lictext
MD5:4D062EA9E3D37E764E986913DB4CAAA2
SHA256:72C545208818C062C13A3423771AD1453C8D07659E516632E4596E4DDBE093DE
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.battext
MD5:8C6A12F0931B1C1BEBDFFD415406523A
SHA256:70C6544BFBDE92D697CF76543104EAF42629B7823B29AC759BEF670F89BE4E82
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exeexecutable
MD5:219F8CEBEF26F1373062357B2F4A8489
SHA256:CF025ECFB3556E334DDE501B95485998DE9E1B6A06CCBD56FFA1345D6B5A3973
1364xcopy.exeC:\Autodesk Shared\Network License Manager\License.lictext
MD5:4D062EA9E3D37E764E986913DB4CAAA2
SHA256:72C545208818C062C13A3423771AD1453C8D07659E516632E4596E4DDBE093DE
1604xcopy.exeC:\Autodesk Shared\Network License Manager\adskflex.exeexecutable
MD5:C00B8B7B1C084718EC5D63A53AEFB1EB
SHA256:05B24756D46CE216C84878DDDC97EF9E2EEB6ECA8EC12C97E780C4D0EEF63731
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbstext
MD5:BDCEE93AFA90EC55B9DEDDB3014E2269
SHA256:9212E1A3E7D690BE3574A5252C3435E2602B3BB742993A416F483105ED53BF61
3428Autodesk License Patcher Installer.exeC:\AutodeskLicensePatcherInstaller\Files\Service\Service.battext
MD5:D0D4F5CD24C63A74C68A03B2B3A8786D
SHA256:62B915D1E0E26F72700C519534F181AC9728FFF9252D21298667FB85ECC3B702
1116powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HPM69TPHYRE601112LH1.tempbinary
MD5:C681106A4168B935996B10134404F885
SHA256:89AB4ECFBB5C1FD07CF99465E36B1A08F51E2512AA60DDD616D4A37753FC112D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Autodesk License Patcher Installer.exe