File name:

AIT.msi

Full analysis: https://app.any.run/tasks/7286391b-8a47-4b7c-a9e7-58532210fac5
Verdict: Malicious activity
Analysis date: June 02, 2024, 13:25:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Autodesk Inventory Tool, Author: Autodesk, Keywords: Installer, Comments: This installer database contains the logic and data required to install Autodesk Inventory Tool., Template: Intel;1033, Revision Number: {2D7782EC-1C89-4CDD-801C-0FF4B7B26418}, Create Time/Date: Wed Feb 14 10:40:14 2024, Last Saved Time/Date: Wed Feb 14 10:40:14 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

C10573C7E3020B8082E8248D613DFE91

SHA1:

B3D5896C52866F392CCE6077B8E8AAC27A242419

SHA256:

C3D30A356D5F9E731AD2388616C4CD5AE59BFE1DEC89B1BF3651B5D0C94089B2

SSDEEP:

98304:Jz2FT8BpKwXq0BoY4aPh0nv19bj7YeRzCU7MGwr/Rcj3+NtUR22HyDDDDDDDDDD8:aQyGJM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 4020)
      • AIT.exe (PID: 2556)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 4068)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4020)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4020)

    • Reads the Internet Settings

      • AIT.exe (PID: 2556)
      • AITViewer.exe (PID: 2124)

    • Reads settings of System Certificates

      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Reads security settings of Internet Explorer

      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Executable content was dropped or overwritten

      • AIT.exe (PID: 2556)

    • Executed via WMI

      • cmd.exe (PID: 956)
      • cmd.exe (PID: 600)
      • cmd.exe (PID: 2680)
      • cmd.exe (PID: 2400)
      • cmd.exe (PID: 2416)

    • Starts application with an unusual extension

      • cmd.exe (PID: 600)
      • cmd.exe (PID: 2680)

    • Application launched itself

      • cmd.exe (PID: 2680)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2680)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)
      • chcp.com (PID: 2764)
      • chcp.com (PID: 1280)
      • AutodeskLoginState.exe (PID: 1296)
      • BinaryCheck.exe (PID: 2816)

    • Reads the computer name

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)
      • AutodeskLoginState.exe (PID: 1296)
      • BinaryCheck.exe (PID: 2816)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3972)

    • Reads the software policy settings

      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4020)
      • AITViewer.exe (PID: 2124)
      • AIT.exe (PID: 2556)
      • BinaryCheck.exe (PID: 2816)

    • Create files in a temporary directory

      • msiexec.exe (PID: 4020)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4020)

    • Manual execution by a user

      • AITViewer.exe (PID: 2124)
      • AITViewer.exe (PID: 1932)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4020)

    • Creates files in the program directory

      • AITViewer.exe (PID: 2124)
      • cmd.exe (PID: 956)
      • AIT.exe (PID: 2556)
      • cmd.exe (PID: 600)
      • cmd.exe (PID: 2680)
      • cmd.exe (PID: 2416)
      • BinaryCheck.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Autodesk Inventory Tool
Author: Autodesk
Keywords: Installer
Comments: This installer database contains the logic and data required to install Autodesk Inventory Tool.
Template: Intel;1033
RevisionNumber: {2D7782EC-1C89-4CDD-801C-0FF4B7B26418}
CreateDate: 2024:02:14 10:40:14
ModifyDate: 2024:02:14 10:40:14
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
16
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs aitviewer.exe no specs aitviewer.exe ait.exe cmd.exe no specs cmd.exe no specs chcp.com no specs cmd.exe no specs chcp.com no specs cmd.exe no specs cmd.exe no specs autodeskloginstate.exe no specs cmd.exe no specs binarycheck.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
600C:\Windows\system32\cmd.exe /c C:\ProgramData\User_Subscriptions.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
956C:\Windows\system32\cmd.exe /c C:\ProgramData\Installer_Helper.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1280CHCP 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1296.\AutodeskLoginState.exeC:\ProgramData\AutodeskLoginState.execmd.exe
User:
admin
Company:
License Dashboard
Integrity Level:
HIGH
Description:
AutodeskLoginState
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\programdata\autodeskloginstate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1932"C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exe" C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exeexplorer.exe
User:
admin
Company:
Autodesk Inc.
Integrity Level:
MEDIUM
Description:
Autodesk Inventory Tool
Exit code:
3221226540
Version:
2.3.2.0
Modules
Images
c:\program files\autodesk\autodesk inventory tool\aitviewer.exe
c:\windows\system32\ntdll.dll
2124"C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exe" C:\Program Files\Autodesk\Autodesk Inventory Tool\AITViewer.exe
explorer.exe
User:
admin
Company:
Autodesk Inc.
Integrity Level:
HIGH
Description:
Autodesk Inventory Tool
Version:
2.3.2.0
Modules
Images
c:\program files\autodesk\autodesk inventory tool\aitviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2400C:\Windows\system32\cmd.exe /c C:\ProgramData\AutodeskLoginState.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2416C:\Windows\system32\cmd.exe /c C:\ProgramData\AutodeskBinaryCheck.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2556"C:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exe" /computer=localhost /autodesk /sl /lu /output="C:\ProgramData\Autodesk\AIT\Output"C:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exe
AITViewer.exe
User:
admin
Company:
Autodesk Inc.
Integrity Level:
HIGH
Description:
Autodesk Inventory Tool
Exit code:
0
Version:
2.3.2.0
Modules
Images
c:\program files\autodesk\autodesk inventory tool\ait.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2680C:\Windows\system32\cmd.exe /c C:\ProgramData\GenuineTxt.cmdC:\Windows\System32\cmd.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
21 393
Read events
21 025
Write events
353
Delete events
15

Modification events

(PID) Process:(3972) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000009AD4DF4DF0B4DA01B40F0000DC0F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000009AD4DF4DF0B4DA01B40F0000DC0F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000602E9C4EF0B4DA01B40F0000DC0F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4020) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000BA909E4EF0B4DA01B40F000028040000E8030000010000000000000000000000299CF54F18D3A5418AB21FB869BEFE3F0000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F0000F00F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F000050070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F0000EC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4068) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000221AA84EF0B4DA01E40F0000FC070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
44
Suspicious files
11
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
4020msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4020msiexec.exeC:\Windows\Installer\107273.msi
MD5:
SHA256:
4020msiexec.exeC:\Windows\Installer\MSI7C08.tmpbinary
MD5:29292BFC55CCD1DE8EE91C8433D5EC6D
SHA256:DF35B8CB670CAED2A86F0C4067FE93D6622097ED126F562021B430509B930832
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AdlmPITInfo32.dllexecutable
MD5:1F5AF90085C788E19F311F2551B37A93
SHA256:3A72621F2BFC3498B93D5A49710216A3313771BC04EE2AFF4FCA5BC828A9D950
4020msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF7F7EE3AEE69DAC6C.TMPbinary
MD5:7352592B33A2FCE73EEB8F316FE349B9
SHA256:90546ABCA45DF340D841D637865445805837723629FF22DEA7FF9D5FBCFC810B
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AdlmPITInfo64.dllexecutable
MD5:5B2C4B986C5CE775053194BE500858BC
SHA256:DB15690AF44A466A6999AC631E5A0CA1BD3138AA3A5C2BA0104206F439D2595A
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\AIT.exeexecutable
MD5:F12AEE6D6B5761B77305C289BE36E572
SHA256:5D8A0363D608E4D1E6CB07FD591F7B937A3029B432941A59DC5F9449781E6837
4020msiexec.exeC:\Windows\Installer\107274.ipibinary
MD5:46B645D254889BEC16E53E7F44AF66FB
SHA256:3FA378D7FB1F6EA1A709E3F33A835DBE92B7147C37754CFC48E851F5E53A60CE
4020msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{4ff59c29-d318-41a5-8ab2-1fb869befe3f}_OnDiskSnapshotPropbinary
MD5:744260D0A1804F6BA6C2A42E14CF2D38
SHA256:EED49AA0392BDA438887C0C6FD12775CA6DADEB82832B3C087984E1D1B6E7677
4020msiexec.exeC:\Program Files\Autodesk\Autodesk Inventory Tool\BinaryCheck.exeexecutable
MD5:F7D07986BA9EAF920DF2BECC6A830CD1
SHA256:DCAA94D9F30C529688ACD03055981C620A6E18E5E29AB2CC58F020C407336DCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AIT.msi