File name:

AutodeskScanWin.msi

Full analysis: https://app.any.run/tasks/54832d78-b803-4912-8c78-eeb4814b89a4
Verdict: Malicious activity
Analysis date: September 27, 2019, 13:18:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ScanWin, Author: Autodesk, Keywords: Installer, Comments: This installer database contains the logic and data required to install ScanWin., Template: Intel;1033, Revision Number: {D710C1D7-E2ED-4B8F-971D-7C3D4151F512}, Create Time/Date: Fri Sep 6 15:42:50 2019, Last Saved Time/Date: Fri Sep 6 15:42:50 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
MD5:

F5DFE54A6CFCF5EF646875A70496B5AD

SHA1:

9B04AE092B21F990CC29C8391F6AA1771921DCFA

SHA256:

4B19E09E7C11DD3F132893BF86FFC787B5E66C0D610C1E6FCFBF63349A3C6595

SSDEEP:

49152:ezRt0h3fdc+sztgkIZqyCNo1vhn7QyHBtkr/:yT0h3a+Etsky7Yr/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • msiexec.exe (PID: 3044)

    • Application was dropped or rewritten from another process

      • ScanWinViewer.exe (PID: 1964)
      • ScanWin.exe (PID: 3132)
      • ScanWin.exe (PID: 3640)

    • Loads dropped or rewritten executable

      • ScanWinViewer.exe (PID: 1964)
      • ScanWin.exe (PID: 3640)
      • ScanWin.exe (PID: 3132)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 2208)

    • Creates files in the program directory

      • ScanWin.exe (PID: 3640)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 864)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 2452)

    • Executed via COM

      • DrvInst.exe (PID: 3272)

    • Creates files in the Windows directory

      • ScanWin.exe (PID: 3640)
      • cmd.exe (PID: 700)

    • Executed via WMI

      • cmd.exe (PID: 700)
      • cmd.exe (PID: 3280)

    • Removes files from Windows directory

      • ScanWin.exe (PID: 3640)

    • Reads Internet Cache Settings

      • ScanWinViewer.exe (PID: 1964)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2208)

    • Manual execution by user

      • ScanWinViewer.exe (PID: 1964)
      • cmd.exe (PID: 2452)
      • NOTEPAD.EXE (PID: 3224)
      • EXCEL.EXE (PID: 2144)

    • Creates files in the program directory

      • msiexec.exe (PID: 864)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 864)

    • Searches for installed software

      • msiexec.exe (PID: 864)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2144)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: ScanWin
Author: Autodesk
Keywords: Installer
Comments: This installer database contains the logic and data required to install ScanWin.
Template: Intel;1033
RevisionNumber: {D710C1D7-E2ED-4B8F-971D-7C3D4151F512}
CreateDate: 2019:09:06 14:42:50
ModifyDate: 2019:09:06 14:42:50
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.1.2318)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs drvinst.exe no specs scanwinviewer.exe no specs cmd.exe no specs ipconfig.exe no specs scanwin.exe no specs cmd.exe no specs cmd.exe no specs scanwin.exe no specs excel.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
700cmd /c C:\Windows\Temp\Installer_Helper.cmdC:\Windows\system32\cmd.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
864C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1964"C:\Program Files\Autodesk\ScanWin\ScanWinViewer.exe" C:\Program Files\Autodesk\ScanWin\ScanWinViewer.exeexplorer.exe
User:
admin
Company:
License Dashboard
Integrity Level:
MEDIUM
Description:
ScanWin Viewer
Exit code:
0
Version:
2.0.6.7
Modules
Images
c:\program files\autodesk\scanwin\scanwinviewer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2144"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2208C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2408ipconfigC:\Windows\system32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
2452"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3044"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\AutodeskScanWin.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3132"ScanWin.exe" /output="C:\Users\admin\Documents\AutodeskProducts.csv" /exportC:\Program Files\Autodesk\ScanWin\ScanWin.exeScanWinViewer.exe
User:
admin
Company:
License Dashboard
Integrity Level:
MEDIUM
Description:
ScanWin
Exit code:
0
Version:
2.0.6.7
Modules
Images
c:\program files\autodesk\scanwin\scanwin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3224"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Documents\AutodeskProducts.csv-NFO.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
2 368
Read events
1 851
Write events
484
Delete events
33

Modification events

(PID) Process:(3044) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3044) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\EAB040689A0D805B5D6FD654FC168CFF00B78BE3
Operation:writeName:Blob
Value:
030000000100000014000000EAB040689A0D805B5D6FD654FC168CFF00B78BE31400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB040000000100000010000000DB78CBD190952735D940BC80AC2432C00F0000000100000030000000435FE6564241D6B3828352EF9BE443D511C21F0AFB325C4038A5820F00D87774A8EF2193DDAAE065B2572FAF2BF0EE63190000000100000010000000EA6089055218053DD01E37E1D806EEDF18000000010000001000000045ED9BBC5E43D3B9ECD63C060DB78E5C20000000010000007B050000308205773082045FA003020102021013EA28705BF4ECED0C36630980614336300D06092A864886F70D01010C0500306F310B300906035504061302534531143012060355040A130B416464547275737420414231263024060355040B131D41646454727573742045787465726E616C20545450204E6574776F726B312230200603550403131941646454727573742045787465726E616C20434120526F6F74301E170D3030303533303130343833385A170D3230303533303130343833385A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A381F43081F1301F0603551D23041830168014ADBD987A34B426F7FAC42654EF03BDE024CB541A301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF30110603551D20040A300830060604551D200030440603551D1F043D303B3039A037A0358633687474703A2F2F63726C2E7573657274727573742E636F6D2F416464547275737445787465726E616C4341526F6F742E63726C303506082B0601050507010104293027302506082B060105050730018619687474703A2F2F6F6373702E7573657274727573742E636F6D300D06092A864886F70D01010C050003820101009365F63783950F5EC3821C1FD677E73C8AC0AA09F0E90B26F1E0C26A75A1C779C9B95260C829120EF0AD03D609C476DFE5A68195A746DA8257A99592C5B68F03226C3377C17B32176E07CE5A14413A05241BF614063BA825240EBBCC2A75DDB970413F7CD0633621071F46FF60A491E167BCDE1F7E1914C9636791EA67076BB48F8BC06E437DC3A1806CB21EBC53857DDC90A1A4BC2DEF4672573505BFBB46BB6E6D3799B6FF239291C66E40F88F2956EA5FD55F1453ACF04F61EAF722CCA7560BE2B8341F26D97B1905683FBA3CD43806A2D3E68F0EE3B4716D4042C584B440952BF465A04879F61D8163969D4F75E0F87CE48EA9D1F2AD8AB38CC721CDC2EF
(PID) Process:(864) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000CCD2FB233675D5016003000040050000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(864) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000CCD2FB233675D5016003000040050000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(864) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
24
(PID) Process:(864) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
400000000000000082CE58243675D5016003000040050000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(864) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DC305B243675D50160030000800E0000E8030000010000000000000000000000A1AD2A1614D0BA44BA3D70D3D8B895620000000000000000
(PID) Process:(2208) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009E1C67243675D501A0080000F80A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2208) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009E1C67243675D501A008000060050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2208) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009E1C67243675D501A0080000E00E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
32
Suspicious files
7
Text files
85
Unknown types
5

Dropped files

PID
Process
Filename
Type
864msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
864msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF89B8A35B597107F9.TMP
MD5:
SHA256:
864msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
3272DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:
SHA256:
3044msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CDbinary
MD5:
SHA256:
3272DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:
SHA256:
3272DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:
SHA256:
864msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{162aada1-d014-44ba-ba3d-70d3d8b89562}_OnDiskSnapshotPropbinary
MD5:
SHA256:
3044msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CDder
MD5:
SHA256:
864msiexec.exeC:\Program Files\Autodesk\ScanWin\AutodeskProductCodestext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
msiexec.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3044
msiexec.exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious

DNS requests

Domain
IP
Reputation
crt.usertrust.com
  • 91.199.212.52
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AutodeskScanWin.msi