Windows Analysis Report
Autodesk License Patcher Installer.exe

Overview

General Information

Sample Name: Autodesk License Patcher Installer.exe
Analysis ID: 790015
MD5: f11948edf3ad78021e0d404c10b56ab4
SHA1: 030e60546a942866ea84814ee6b8c479c5418c61
SHA256: 1a9c00c459700e28f44329de3219353ccc95f0ba1279dbcc475b26908db9567a
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Contains functionality to register a low level keyboard hook
Uses ping.exe to check the status of other devices and networks
DLL side loading technique detected
Uses ping.exe to sleep
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Enables debug privileges
Sample file is different than original file name gathered from version info
Uses net.exe to stop services
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Contains functionality to launch a program with higher privileges
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Autodesk License Patcher Installer.exe ReversingLabs: Detection: 61%
Source: Autodesk License Patcher Installer.exe Virustotal: Detection: 59% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Autodesk License Patcher Installer.exe.400000.0.unpack Avira: Label: TR/Crypt.CFI.Gen
Uses 32bit PE files
Source: Autodesk License Patcher Installer.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: E:\FNP-11.16.2\tier1\flexnet\master\build\_release-Windows-ipv6.NT4-x86_64-main\lmgrd.exe.pdb) source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr
Source: Binary string: E:\FNP-11.16.2\tier1\flexnet\master\build\_release-Windows-ipv6.NT4-x86_64-main\lmgrd.exe.pdb source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040371E GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040371E
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00403203 wsprintfW,FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_00403203

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr String found in binary or memory: http://169.254.169.254http://169.254.169.254/latest/meta-datalatest/meta-data/public-ipv4latest/meta
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.0000000002A4C000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.0000000002A4C000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.0000000002A4C000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.0000000002A4C000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://s.symcd.com06
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: Autodesk License Patcher Installer.exe String found in binary or memory: http://sourceforge.net/projects/s-zipsfxbuilder/)
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.0000000002A4C000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://www.flexerasoftware.com
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: lmgrd.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, Autodesk License Patcher Installer.exe, 00000000.00000003.1301901689.0000000000940000.00000004.00001000.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00408D9F SetWindowsHookExW 00000002,Function_00008D71,00000000,00000000 0_2_00408D9F
Uses 32bit PE files
Source: Autodesk License Patcher Installer.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00405C30 0_2_00405C30
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040B0C0 0_2_0040B0C0
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040B0C4 0_2_0040B0C4
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040A8E0 0_2_0040A8E0
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_004168A3 0_2_004168A3
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040A250 0_2_0040A250
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00409C00 0_2_00409C00
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040AC00 0_2_0040AC00
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00416531 0_2_00416531
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00409DB0 0_2_00409DB0
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040D660 0_2_0040D660
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00415E70 0_2_00415E70
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0041660B 0_2_0041660B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: String function: 004029CD appears 44 times
Sample file is different than original file name gathered from version info
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1294243393.00000000024E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename" vs Autodesk License Patcher Installer.exe
Source: Autodesk License Patcher Installer.exe, 00000000.00000000.1289910128.0000000000460000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename" vs Autodesk License Patcher Installer.exe
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1294104232.00000000024E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename" vs Autodesk License Patcher Installer.exe
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1293946538.00000000024E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename" vs Autodesk License Patcher Installer.exe
Source: Autodesk License Patcher Installer.exe Binary or memory string: OriginalFilename" vs Autodesk License Patcher Installer.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
Source: Autodesk License Patcher Installer.exe ReversingLabs: Detection: 61%
Source: Autodesk License Patcher Installer.exe Virustotal: Detection: 59%
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe File read: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Jump to behavior
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe C:\Users\user\Desktop\Autodesk License Patcher Installer.exe
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 1254
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com mode con: cols=70 lines=15
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\fltMC.exe fltmc
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net stop AdskLicensingService
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop AdskLicensingService
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingService.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAgent.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "ADPClientService.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAnalyticsClient.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingInstHelper.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmgrd.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "adskflex.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmutil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmtools.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe MsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbs" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.bat" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /d Administrator /f
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 1254 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com mode con: cols=70 lines=15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\fltMC.exe fltmc Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net stop AdskLicensingService Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAgent.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "ADPClientService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAnalyticsClient.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingInstHelper.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmgrd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "adskflex.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmutil.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmtools.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe MsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbs" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.bat" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /d Administrator /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop AdskLicensingService Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AdskLicensingService.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AdskLicensingAgent.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ADPClientService.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AdskLicensingAnalyticsClient.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AdskLicensingInstHelper.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lmgrd.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "adskflex.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lmutil.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "lmtools.exe")
Source: C:\Windows\SysWOW64\msiexec.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "adskflex.exe")
Source: classification engine Classification label: mal68.troj.spyw.evad.winEXE@80/38@0/2
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040123E GetDiskFreeSpaceExW,SendMessageW, 0_2_0040123E
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_004095EA wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 0_2_004095EA
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_02
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_004020E6 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 0_2_004020E6
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbs" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Program Files (x86)\Common Files\Autodesk Shared Jump to behavior
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" "
Source: Autodesk License Patcher Installer.exe Static file information: File size 1353899 > 1048576
Source: Binary string: E:\FNP-11.16.2\tier1\flexnet\master\build\_release-Windows-ipv6.NT4-x86_64-main\lmgrd.exe.pdb) source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr
Source: Binary string: E:\FNP-11.16.2\tier1\flexnet\master\build\_release-Windows-ipv6.NT4-x86_64-main\lmgrd.exe.pdb source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_004161F0 push eax; ret 0_2_0041621E
PE file contains sections with non-standard names
Source: lmgrd.exe.0.dr Static PE information: section name: .textidx
Source: lmgrd.exe.0.dr Static PE information: section name: .fnp_dir
Source: lmgrd.exe.0.dr Static PE information: section name: .fnp_mar
Source: version.dll.0.dr Static PE information: section name: .didata
Source: adskflex.exe.0.dr Static PE information: section name: .textidx
Source: adskflex.exe.0.dr Static PE information: section name: _RDATA
Source: adskflex.exe.34.dr Static PE information: section name: .textidx
Source: adskflex.exe.34.dr Static PE information: section name: _RDATA
Source: lmgrd.exe.35.dr Static PE information: section name: .textidx
Source: lmgrd.exe.35.dr Static PE information: section name: .fnp_dir
Source: lmgrd.exe.35.dr Static PE information: section name: .fnp_mar
Source: version.dll.39.dr Static PE information: section name: .didata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040268C LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_0040268C
PE file contains an invalid checksum
Source: version.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xf112
Source: adskflex.exe.34.dr Static PE information: real checksum: 0x26edc7 should be: 0x278ac6
Source: adskflex.exe.0.dr Static PE information: real checksum: 0x26edc7 should be: 0x278ac6
Source: Autodesk License Patcher Installer.exe Static PE information: real checksum: 0x0 should be: 0x155d76
Source: version.dll.39.dr Static PE information: real checksum: 0x0 should be: 0xf112
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe File created: C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\version.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe Jump to dropped file
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe File created: C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll Jump to dropped file
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe File created: C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe Jump to dropped file
Uses net.exe to stop services
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net stop AdskLicensingService
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\lmgrd.exe Jump to dropped file
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Dropped PE file which has not been started: C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\adskflex.exe Jump to dropped file
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Dropped PE file which has not been started: C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe Jump to dropped file
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040371E GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040371E
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00403203 wsprintfW,FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_00403203
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr Binary or memory string: Hyper-V
Source: adskflex.exe.0.dr Binary or memory string: VMware
Source: adskflex.exe.0.dr Binary or memory string: VMwareVMware detected
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: QEMU Virtual CPU
Source: lmgrd.exe.0.dr Binary or memory string: PHYSICAL_VMware_Hyper-V_VirtualPC_Xen_VirtualBox_Qemu_Parallels_Azure %x%c%xError closing ascii log file %s: %s
Source: adskflex.exe.0.dr Binary or memory string: 0123456789abcdef0123456789ABCDEF%u.%u.%u.%u/ / ROLLOVER / /OPTIONS=PORT=/ / ROLLOVER / /P=%sdlist/ / ROLLOVER / /V7.1_LKV7.1_SIGNV8.0_LKV8.0_SIGNV8.1_LKV8.1_SIGNV8.1_SIGN2V8.4_LKV8.4_SIGNV8.4_SIGN2V10.1_LKV10.1_SIGNV10.1_SIGN2V10.8_LKV10.8_SIGNV10.8_SIGN2V11.4_LKV11.4_SIGNV11.4_SIGN2V11.6_LKV11.6_SIGNV11.6_SIGN2Cloud detectedVMWare detectedXEN detectedQEMU detectedUnknown hypervisor detectedHyper-V detectedCorrection - XEN detectedCorrection - CPUID data block search indicates QEMU detectedCorrection - WMI indicates Physical machinePhysical machine detectedVirtualBox detectedEverrun detectedQemu detectedParallels detectedHypervisor detectedFAKE VM detectedFAKE VM detected (non-privileged)CPUID Hyper-V Signature rejectedcexecsvcFailed to create WMI objectSELECT SystemName FROM Win32_ProcessorSystemNameError: Cmn Wmi query failedProcessor SystemName successfully readNot running in Docker ContainerFailed to read Processor SystemName/ / ROLLOVER / /FLEXLM_TIMEOUTFLEXLM_NO_MT_CONNECT/ / ROLLOVER / /AUTHV7.1V8.0V8.1V8.4V10.1V10.8V11.4V11.6PRIMARY_IS_MASTERHEARTBEAT_INTERVALstrength:LICA_/ / ROLLOVER / /handshake.encryptionAlgorithmIndex=%d
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: WMI checking for VM_WMI_QEMU
Source: adskflex.exe.0.dr Binary or memory string: VMWARE
Source: adskflex.exe.0.dr Binary or memory string: Running on Hypervisor: VMWareHyper-VVirtualPCXenQemuParallelsVirtualBoxAmazon EC2Google ComputeAzureEverrunUnknown HypervisorNone (Physical)Not determined - treat as PhysicalLicense file(s) used: %sSingle Server3-Server Certificate3-Server TSServer Configuration: %s
Source: adskflex.exe.0.dr Binary or memory string: s_vm_wmi_VMware_detection - VMware not detected
Source: lmgrd.exe.0.dr Binary or memory string: Vendor daemon can be operated in VMware environment only
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr Binary or memory string: Server is NOT allowed to operate on a QEMU virtual machine
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: Correction - CPUID data block search indicates QEMU detected
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: CPUID Hyper-V Signature rejected
Source: adskflex.exe.0.dr Binary or memory string: WMI checking for VM_WMI_VMWARE
Source: adskflex.exe.0.dr Binary or memory string: VM_ALLPHYSICALVM_ONLYVMWHYPER-VXENQEMUPARALLELSVIRTUALBOXAMAZONGOOGLEAZUREEVERRUNClient's Vendor Keys do not support Virtualization.
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: Running QEMU-specific CPUID Detection Mechanism
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr Binary or memory string: The HOSTID on the SERVER line needs the server to run in Hyper-V virtual environment.
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: Populating QEMU VM Attributes
Source: lmgrd.exe.0.dr Binary or memory string: SERVER this_host %s\*.APPLICATION.ASP.ASPX.BAT.BIN.CER.CMD.COM.CPL.CGI.DOC.DOCM.DOTM.DLL.EXE.GADGET.HTA.HTM.HTML.HXT.INF.JAR.JS.JSE.JSP.LNK.MSC.MSH.MSH1.MSH2.MSHXML.MSH1XML.MSH2XML.MSI.MSP.OCX.PPTM.PS1XML.PS1.PS2.PPT.PS2XML.PSC1.PSC2.PHP.POTM.PPAM.PPSM.PIF.RAR.REG.SCR.SLDM.SHTML.SQL.STM.SVG.SH.SCF.SYS.SWF.TAR.VB.VBS.VBE.WS.WSF.WSC.WSH.XLSM.XLTM.XLAM.XLS.ZIP.LIC.DAT.TXT0123456789abcdef0123456789ABCDEF%u.%u.%u.%u/dev/ttyGoogleCompute detectedAmazonEC2 detectedVMWare detectedXEN detectedQEMU detectedUnknown hypervisor detectedHyper-V detectedCorrection - XEN detectedCorrection - CPUID data block search indicates QEMU detectedCorrection - WMI indicates Physical machinePhysical machine detectedVirtualBox detectedQemu detectedParallels detectedHypervisor detectedFAKE VM detectedLocal\{a3d0d9cf-ef71-409f-acb2-91dca7237f13}-%lx-s_vm_initFAKE VM detected (non-privileged)CPUID Hyper-V Signature rejectedstatus=value=<null><undefined>%s0x%x,%s%s
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr Binary or memory string: Server is running on a QEMU virtual machine
Source: adskflex.exe.0.dr Binary or memory string: VMwareVMware
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: HYPER-V
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: QEMU detected using cpuid mechanism
Source: adskflex.exe.0.dr Binary or memory string: Server is running on a VMware virtual machine
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: QEMU Detection positive result
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr Binary or memory string: Vendor daemon can be operated in Hyper-V environment only
Source: lmgrd.exe.0.dr Binary or memory string: Bad configuration dataInvalid hostInternet ADDRESS ALREADY IN USENo features to serveCommunications errorNot enough descriptors to re-create pipesCouldn't find a masterExited due to some signalExited because another server was runningmalloc() failureServers can't agree on who is the masterDAEMON name doesn't agree between daemon and license fileChild cannot exec requested serverlmgrd requested vendor daemon downdemo version has expiredvendor daemon started incorrectlyvendor daemon consistency errorFeature-set inconsistentBorrow database corruptedNo license fileVendor keys don't support actionNot able to resolve local hostVendor daemon not allowed in virtual environmentVendor daemon not allowed in Physical MachineSERVER lines and TS configuration do not matchThe failover to replicated TS file failedThe recovery to original TS file failedThe TS is not configured for 3-Server Trusted StorageVendor daemon can be operated in VMware environment onlyVendor daemon can be operated in Hyper-V environment onlyHOSTID does not match the license server environment (Cloud|Virtual|Physical)this status is reserved but will never be generatedVendor keys do not support the specification of this hostid on the SERVER line.Vendor daemon does not support the AMZN hostid on SERVER line. Vendor daemon can be operated in XEN environment onlyThe failover period ended.Failed to retrieve the start time for the failover period.Incomplete configuration on the node.Triad hostid mismatch.TS file not for this host.Trusted storage binding change detected. Vendor daemon can be operated in VirtualBox environment only. Not able to resolve local host. Vendor daemon can be operated in QEMU environment only. Vendor daemon can be operated in Parallels environment only. Vendor daemon can be operated in Amazon Ec2 environment only. Vendor daemon can be operated in Google Compute environment only. Vendor daemon can be operated in an Azure environment only. HostID support has been discontinued. Port number mentioned either on SERVER/VENDOR line is incompatible between lmgrd and VD. %s exited with status %d signal = %d
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: Qemu detected
Source: lmgrd.exe.0.dr Binary or memory string: Running GoogleCompute Environment MechanismGoogleCompute Environment Mechanism positve resultGoogleCompute Environment Mechanism negative resultFake Vm Detection MechanismFNP_FAKE_VMFake Vm Detection Mechanism negative resultcca6e10f064c06c49acf44bd0317aed73000818fFake Vm Detection Mechanism positive result :FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONGRunning XEN-specific CPUID Detection MechanismInspecting signatures, displaying non-trivial instances....XenVMMXenVMMXen detected using cpuid mechanismXEN-specific CPUID test negativeRunning XEN-specific Vm Detection MechanismXEN-specific CPUID Detection positive resultXEN-specific CPUID Detection negative resultPopulating VMWARE Attributes....VMWAREDESKTOPAttribute Population DoneMICROSOFTHYPERVVIRTUALPCUNKNOWNVMRunning QEMU-specific CPUID Detection MechanismKVMKVMKVMQEMU detected using cpuid mechanismQEMU-specific CPUID test negativeRunning QEMU-specific Vm Detection MechanismQEMU Detection positive resultQEMU Detection negative resultPopulating QEMU VM AttributesPopulating PARALLELS VM AttributesFailed to create WMI objectSELECT * FROM Win32_NetworkAdapterPNPDeviceIDVMBUS\GuidAzure detected on the following NIC:Error: Cmn Wmi query failedRunning AZURE-specific Vm Detection MechanismAZURE-specific detection positive resultAZURE-specific detection negative resultAnalyzing signature....XenVMMXenVMM detectedVMwareVMwareVMwareVMware detectedMicrosoft HvMicrosoft Hv detectedKVM detected but ignoredRunning CPUID Vm Detection MechanismCPUID instruction not implementedCPUID instruction supportedRunning Windows-specific CPUID Detection Mechanism....Obtained signature....Success: Non-Hv hypervisor detectedWindows-specific non-Hv CPUID Detection Mechanism SuccessWindows-specific non-Hv CPUID Detection Mechanism FailedBasic Hypervisor present bit set<empty>Signature recognizedBasic Hypervisor present bit not setCPUID Hypervisor Detection positive resultCPUID Hypervisor Detection negative resultCPUID Vm Detection positive resultCPUID Vm Detection negative resultOpening GenId File Path\\.\VmGenerationCounterFailed to open GenId fileFailed to read GenId counter from file%I64x:%I64xAccessing VMGenId valueInsufficient privilege to access VMGenIdI/O error in the VMGenId privileged accessorSupplied buffer too small to hold GenIdFailed to obtain VMGenId valueVMGenId value successfully obtainedSELECT * FROM Win32_BaseBoardProductVirtual Machines_vm_wmi_hyperv_detection - HyperV detecteds_vm_wmi_hyperv_detection - HyperV not detectedWin32_BIOSSerialNumberVMwares_vm_wmi_VMware_detection - VMware detecteds_vm_wmi_VMware_detection - VMware not detectedSELECT * FROM Win32_BIOSManufacturerinnotek GmbHSMBIOSBIOSVersionSELECT Name FROM Win32_PROCESSORNameQEMU Virtual CPUSELECT * FROM Win32_DiskDriveCaptionModelWin32_ComputerSystems_vm_wmi_Parallels_detection - Parallels detected via Manufacturers_vm_wmi_Parallels_detection - Parallels not detected via ManufacturerSELECT HypervisorPresent FROM Win32_Comp
Source: adskflex.exe.0.dr Binary or memory string: s_vm_wmi_VMware_detection - Failed to access serial number
Source: adskflex.exe.0.dr Binary or memory string: Populating VMWARE Attributes....
Source: adskflex.exe.0.dr Binary or memory string: VMWare detected
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: Hyper-V detected
Source: adskflex.exe.0.dr Binary or memory string: content-length: %dSELECT * FROM Win32_BaseBoardProductVirtual Machines_vm_wmi_hyperv_detection - HyperV detecteds_vm_wmi_hyperv_detection - HyperV not detectedWin32_BIOSSerialNumberInspecting serial number...<NULL>VMwares_vm_wmi_VMware_detection - VMware detecteds_vm_wmi_VMware_detection - VMware not detecteds_vm_wmi_VMware_detection - Failed to access serial numberSELECT * FROM Win32_BIOSManufacturerinnotek GmbHSMBIOSBIOSVersionSELECT Name FROM Win32_PROCESSORNameQEMU Virtual CPUSELECT * FROM Win32_DiskDriveCaptionModelWin32_ComputerSystems_vm_wmi_Parallels_detection - Parallels detected via Manufacturers_vm_wmi_Parallels_detection - Parallels not detected via ManufacturerSELECT HypervisorPresent FROM Win32_ComputerSystemHypervisorPresents_vm_wmi_HypervisorPresent_detection - HypervisorPresent detectedWMI Vm Detection MechanismWMI checking for VM_WMI_HYPERVWMI checking for VM_WMI_VMWAREWMI checking for VM_WMI_VIRTUALBOXWMI checking for VM_WMI_EVERRUNWMI checking for VM_WMI_QEMUWMI checking for VM_WMI_PARALLELSWMI checking for VM_FAMILY_UNKNOWNWMI Vm Detection Mechanism positive resultWMI Vm Detection Mechanism negative resultWQLROOT\CIMV2/ / ROLLOVER / // / ROLLOVER / /intrsrc%dFlexera SoftwareNetworking Error: Windows Socket function failed with error %d. Please contact System Administrator for assistance.
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: _Qemu
Source: adskflex.exe.0.dr Binary or memory string: s_vm_wmi_VMware_detection - VMware detected
Source: adskflex.exe.0.dr Binary or memory string: Running GoogleCompute Environment MechanismGoogleCompute Environment Mechanism positve resultGoogleCompute Environment Mechanism negative resultFake Vm Detection MechanismFNP_FAKE_VMFake Vm Detection Mechanism negative resultcca6e10f064c06c49acf44bd0317aed73000818fFake Vm Detection Mechanism positive result :FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONG:FAKE_VM_TOO_LONGRunning XEN-specific CPUID Detection MechanismInspecting signatures, displaying non-trivial instances....XenVMMXenVMMXen detected using cpuid mechanismXEN-specific CPUID test negativeRunning XEN-specific Vm Detection MechanismXEN-specific CPUID Detection positive resultXEN-specific CPUID Detection negative resultPopulating VMWARE Attributes....VMWAREDESKTOPAttribute Population DoneMICROSOFTHYPERVVIRTUALPCSTRATUSUNKNOWNVMRunning QEMU-specific CPUID Detection MechanismKVMKVMKVMQEMU detected using cpuid mechanismQEMU-specific CPUID test negativeRunning QEMU-specific Vm Detection MechanismQEMU Detection positive resultQEMU Detection negative resultPopulating QEMU VM AttributesPopulating PARALLELS VM AttributesSELECT * FROM Win32_NetworkAdapterPNPDeviceIDVMBUS\GuidAzure detected on the following NIC:Running AZURE-specific Vm Detection MechanismAZURE-specific detection positive resultAZURE-specific detection negative resultAnalyzing signature....XenVMMXenVMM detectedVMwareVMwareVMwareVMware detectedMicrosoft HvMicrosoft Hv detectedKVM detected but ignoredRunning CPUID Vm Detection MechanismCPUID instruction not implementedCPUID instruction supportedRunning Windows-specific CPUID Detection Mechanism....Obtained signature....Success: Non-Hv hypervisor detectedWindows-specific non-Hv CPUID Detection Mechanism SuccessWindows-specific non-Hv CPUID Detection Mechanism FailedBasic Hypervisor present bit set<empty>Signature recognizedRejected signature, eax=0x%lx
Source: adskflex.exe.0.dr Binary or memory string: The HOSTID on the SERVER line needs the server to run in VMware virtual environment.
Source: adskflex.exe.0.dr Binary or memory string: _VMwareVIRTUAL_Hyper-V_VirtualPC_Xen_VirtualBox_Qemu_Parallels_AzureVIRTUAL_UNKNOWN# FLEXnet Licensing Report Log, %d %s, %d (%2d:%02d), "%s" on "%s" FlexNet Licensing %s VM_environment="%s"
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: QEMU Detection negative result
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: QEMU-specific CPUID test negative
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: QEMU detected
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr Binary or memory string: Server is running on a Hyper-V virtual machine
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000022.00000003.1580301805.00000000029EC000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, adskflex.exe.0.dr Binary or memory string: Server is NOT allowed to operate on a Hyper-V virtual machine
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: Running QEMU-specific Vm Detection Mechanism
Source: Autodesk License Patcher Installer.exe, 00000000.00000003.1299543272.00000000026E4000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, adskflex.exe.34.dr, lmgrd.exe.35.dr, lmgrd.exe.0.dr, adskflex.exe.0.dr Binary or memory string: _Hyper-V
Source: adskflex.exe.0.dr Binary or memory string: VMWare
Source: adskflex.exe.0.dr Binary or memory string: _VMware
Source: xcopy.exe, 00000023.00000002.1585353210.000000000294F000.00000004.00000020.00020000.00000000.sdmp, lmgrd.exe.35.dr, lmgrd.exe.0.dr Binary or memory string: Vendor daemon can be operated in QEMU environment only.
Source: adskflex.exe.0.dr Binary or memory string: Server is NOT allowed to run on a VMware virtual machine
Source: adskflex.exe.0.dr Binary or memory string: Server is NOT allowed to operate within a NON VMware virtual machine
Source: lmgrd.exe.0.dr Binary or memory string: .lic%s > %sVM_ALLVM_ONLYVMWHYPER-VXENQEMUPARALLELSVIRTUALBOXAMAZONGOOGLEAZUREVPCi86_rei86_sei86_lsbamd64_rex64_sex64_lsbit64_reit64_lsbppc_reppc_seppc_lsbppc64_reppc64_seppc64_lsb%s <> SIGN%s=NOMORE46,INTERNET=%s
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040268C LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_0040268C
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
DLL side loading technique detected
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: C:\Windows\SysWOW64\version.dll Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_004053D3 memset,??3@YAXPAX@Z,??3@YAXPAX@Z,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z, 0_2_004053D3
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAgent.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "ADPClientService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAnalyticsClient.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingInstHelper.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmgrd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "adskflex.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmutil.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmtools.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\AutodeskLicensePatcherInstaller\AutodeskLicensePatcherInstaller.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\chcp.com chcp 1254 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com mode con: cols=70 lines=15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\fltMC.exe fltmc Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 15 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net stop AdskLicensingService Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAgent.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "ADPClientService.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingAnalyticsClient.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "AdskLicensingInstHelper.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmgrd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "adskflex.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmutil.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "lmtools.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\msiexec.exe MsiExec.exe /X {4BE91685-1632-47FC-B563-A8A542C6664C} /qn Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\adskflex.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\lmgrd.exe" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\NetworkLicenseManager\License.lic" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.vbs" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\Service\Service.bat" "C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\AutodeskLicensePatcherInstaller\Files\PatchedFiles\version.dll" "C:\Program Files (x86)\Common Files\Autodesk Shared\AdskLicensing\Current\AdskLicensingAgent\" /Y /K /R /S /H /i Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /d Administrator /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop AdskLicensingService Jump to behavior
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_0040276B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_0040276B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlen,??2@YAPAXI@Z,GetLocaleInfoW,_wtoi,MultiByteToWideChar, 0_2_004024A4
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00403A88 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_00403A88
Source: C:\Users\user\Desktop\Autodesk License Patcher Installer.exe Code function: 0_2_00405C30 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtoi,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtoi,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtoi,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtoi,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtoi,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 0_2_00405C30
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790015 Sample: Autodesk License Patcher In... Startdate: 23/01/2023 Architecture: WINDOWS Score: 68 47 Multi AV Scanner detection for submitted file 2->47 49 Contains functionality to register a low level keyboard hook 2->49 8 Autodesk License Patcher Installer.exe 22 2->8         started        11 msiexec.exe 2->11         started        process3 file4 29 C:\...\version.dll, PE32 8->29 dropped 31 C:\...\lmgrd.exe, PE32+ 8->31 dropped 33 C:\...\adskflex.exe, PE32+ 8->33 dropped 13 cmd.exe 1 8->13         started        process5 signatures6 51 Uses ping.exe to sleep 13->51 53 Uses cmd line tools excessively to alter registry or file data 13->53 55 Uses ping.exe to check the status of other devices and networks 13->55 16 taskkill.exe 1 13->16         started        19 taskkill.exe 1 13->19         started        21 taskkill.exe 1 13->21         started        23 24 other processes 13->23 process7 dnsIp8 45 DLL side loading technique detected 16->45 41 127.0.0.1 unknown unknown 23->41 43 192.168.2.1 unknown unknown 23->43 35 C:\Program Files (x86)\...\lmgrd.exe, PE32+ 23->35 dropped 37 C:\Program Files (x86)\...\adskflex.exe, PE32+ 23->37 dropped 39 C:\Program Files (x86)\...\version.dll, PE32 23->39 dropped 27 net1.exe 1 23->27         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1
127.0.0.1