File name:

AIT.msi

Full analysis: https://app.any.run/tasks/7286391b-8a47-4b7c-a9e7-58532210fac5
Verdict: Malicious activity
Analysis date: June 02, 2024, 13:25:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Autodesk Inventory Tool, Author: Autodesk, Keywords: Installer, Comments: This installer database contains the logic and data required to install Autodesk Inventory Tool., Template: Intel;1033, Revision Number: {2D7782EC-1C89-4CDD-801C-0FF4B7B26418}, Create Time/Date: Wed Feb 14 10:40:14 2024, Last Saved Time/Date: Wed Feb 14 10:40:14 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

C10573C7E3020B8082E8248D613DFE91

SHA1:

B3D5896C52866F392CCE6077B8E8AAC27A242419

SHA256:

C3D30A356D5F9E731AD2388616C4CD5AE59BFE1DEC89B1BF3651B5D0C94089B2

SSDEEP:

98304:Jz2FT8BpKwXq0BoY4aPh0nv19bj7YeRzCU7MGwr/Rcj3+NtUR22HyDDDDDDDDDD8:aQyGJM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 4020)
      • AIT.exe (PID: 2556)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4068)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4020)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4020)

    • Reads the Internet Settings

      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Reads settings of System Certificates

      • AIT.exe (PID: 2556)
      • AITViewer.exe (PID: 2124)

    • Reads security settings of Internet Explorer

      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Executed via WMI

      • cmd.exe (PID: 2680)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 600)
      • cmd.exe (PID: 2400)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2680)
      • cmd.exe (PID: 600)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2680)

    • Executable content was dropped or overwritten

      • AIT.exe (PID: 2556)

    • Application launched itself

      • cmd.exe (PID: 2680)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)
      • AutodeskLoginState.exe (PID: 1296)
      • BinaryCheck.exe (PID: 2816)

    • Checks supported languages

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)
      • chcp.com (PID: 2764)
      • chcp.com (PID: 1280)
      • BinaryCheck.exe (PID: 2816)
      • AutodeskLoginState.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3972)

    • Reads the software policy settings

      • msiexec.exe (PID: 4020)
      • msiexec.exe (PID: 3972)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)
      • BinaryCheck.exe (PID: 2816)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4020)

    • Create files in a temporary directory

      • msiexec.exe (PID: 4020)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4020)

    • Manual execution by a user

      • AITViewer.exe (PID: 1932)
      • AITViewer.exe (PID: 2124)

    • Creates files in the program directory

      • AITViewer.exe (PID: 2124)
      • cmd.exe (PID: 600)
      • cmd.exe (PID: 2680)
      • AIT.exe (PID: 2556)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 2416)
      • BinaryCheck.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Autodesk Inventory Tool
Author: Autodesk
Keywords: Installer
Comments: This installer database contains the logic and data required to install Autodesk Inventory Tool.
Template: Intel;1033
RevisionNumber: {2D7782EC-1C89-4CDD-801C-0FF4B7B26418}
CreateDate: 2024:02:14 10:40:14
ModifyDate: 2024:02:14 10:40:14
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
16
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs aitviewer.exe no specs aitviewer.exe ait.exe cmd.exe no specs cmd.exe no specs chcp.com no specs cmd.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs autodeskloginstate.exe no specs cmd.exe no specs binarycheck.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
600C:\Windows\system32\cmd.exe /c C:\ProgramData\User_Subscriptions.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
956C:\Windows\system32\cmd.exe /c C:\ProgramData\Installer_Helper.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1280CHCP 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1296.\AutodeskLoginState.exeC:\ProgramData\AutodeskLoginState.execmd.exe
User:
admin
Company:
License Dashboard
Integrity Level:
HIGH
Description:
AutodeskLoginState
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\programdata\autodeskloginstate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1932"C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exe" C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exeexplorer.exe
User:
admin
Company:
Autodesk Inc.
Integrity Level:
MEDIUM
Description:
Autodesk Inventory Tool
Exit code:
3221226540
Version:
2.3.2.0
Modules
Images
c:\program files\autodesk\autodesk inventory tool\aitviewer.exe
c:\windows\system32\ntdll.dll
2124"C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exe" C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exe
explorer.exe
User:
admin
Company:
Autodesk Inc.
Integrity Level:
HIGH
Description:
Autodesk Inventory Tool
Version:
2.3.2.0
Modules
Images
c:\program files\autodesk\autodesk inventory tool\aitviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2400C:\Windows\system32\cmd.exe /c C:\ProgramData\AutodeskLoginState.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2416C:\Windows\system32\cmd.exe /c C:\ProgramData\AutodeskBinaryCheck.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2556"C:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exe" /computer=localhost /autodesk /sl /lu /output="C:\ProgramData\Autodesk\AIT\Output"C:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exe
AITViewer.exe
User:
admin
Company:
Autodesk Inc.
Integrity Level:
HIGH
Description:
Autodesk Inventory Tool
Exit code:
0
Version:
2.3.2.0
Modules
Images
c:\program files\autodesk\autodesk inventory tool\ait.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2680C:\Windows\system32\cmd.exe /c C:\ProgramData\GenuineTxt.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
21 393
Read events
21 025
Write events
353
Delete events
15

Modification events

(PID) Process:(3972) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000009AD4DF4DF0B4DA01B40F0000DC0F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000009AD4DF4DF0B4DA01B40F0000DC0F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000602E9C4EF0B4DA01B40F0000DC0F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000BA909E4EF0B4DA01B40F000028040000E8030000010000000000000000000000299CF54F18D3A5418AB21FB869BEFE3F0000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F0000F00F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F000050070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F0000EC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F0000FC070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
44
Suspicious files
11
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
4020msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4020msiexec.exeC:\Windows\Installer\107273.msi
MD5:
SHA256:
4020msiexec.exeC:\Windows\Installer\107274.ipibinary
MD5:46B645D254889BEC16E53E7F44AF66FB
SHA256:3FA378D7FB1F6EA1A709E3F33A835DBE92B7147C37754CFC48E851F5E53A60CE
4020msiexec.exeC:\Windows\Installer\MSI7C08.tmpbinary
MD5:29292BFC55CCD1DE8EE91C8433D5EC6D
SHA256:DF35B8CB670CAED2A86F0C4067FE93D6622097ED126F562021B430509B930832
4020msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF7F7EE3AEE69DAC6C.TMPbinary
MD5:7352592B33A2FCE73EEB8F316FE349B9
SHA256:90546ABCA45DF340D841D637865445805837723629FF22DEA7FF9D5FBCFC810B
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\Autodesk.icoimage
MD5:E471FAC85EBFE538967FFB7C01B0ABC8
SHA256:9F6802D6FF6EE0A26B4C2C69A7CD3419443D26E362D2E7C447B804825C06AAD1
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AutodeskProductCodestext
MD5:A73ADF033A704E8C9CAC7207EC4AA73E
SHA256:32E0696927C31DD0F6579478E69AC7C50172291E0A5C597A14257D0CE9E1B12F
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exeexecutable
MD5:F12AEE6D6B5761B77305C289BE36E572
SHA256:5D8A0363D608E4D1E6CB07FD591F7B937A3029B432941A59DC5F9449781E6837
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exe.configxml
MD5:A0A58E09F37EC9D2E4FA6686B51E39B8
SHA256:130B898ADF04CFF0C17FB1C30869E4D38E207AE8CA82763A64E31413FA23012F
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exeexecutable
MD5:3033E823916ABFCB06EFD6BFB544FF61
SHA256:E0EED3AA8F4E7E779D9B4A97026FF6348052EA361111BAA637A452B68A48F542
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIT.msi