File name:

ai-toolkit(6).exe

Full analysis: https://app.any.run/tasks/349a34b9-e45b-4b9f-863f-e7fc961b4f43
Verdict: Malicious activity
Analysis date: December 09, 2023, 13:55:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A56F6A4794EE19C6CD8A009FF9D9E2B

SHA1:

6D0A2F22BC947606B09916BED0502D06E5C7F18F

SHA256:

E0B751278AFF5D71176C974B4C9D20094757DF65B5538D52D05EA4944EC7BEBB

SSDEEP:

196608:WJZi+5F0YiQtGpr/3vcGup6LUhqGtdsrZyyU:WJj5CY/tAjxKBhXtdQZfU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ai-toolkit(6).exe (PID: 1352)
      • ai-toolkit(6).tmp (PID: 2928)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ai-toolkit(6).tmp (PID: 2928)

    • Reads the Windows owner or organization settings

      • ai-toolkit(6).tmp (PID: 2928)

    • Drops 7-zip archiver for unpacking

      • ai-toolkit(6).tmp (PID: 2928)

    • Reads the Internet Settings

      • ai-toolkit(6).tmp (PID: 2928)
      • AIToolkit.exe (PID: 1360)

    • Reads security settings of Internet Explorer

      • AIToolkit.exe (PID: 1360)

    • Checks Windows Trust Settings

      • AIToolkit.exe (PID: 1360)

    • Reads settings of System Certificates

      • AIToolkit.exe (PID: 1360)

    • Adds/modifies Windows certificates

      • AIToolkit.exe (PID: 1360)

  • INFO

    • Checks supported languages

      • ai-toolkit(6).exe (PID: 1352)
      • ai-toolkit(6).tmp (PID: 2928)
      • AIToolkit.exe (PID: 1360)
      • wmpnscfg.exe (PID: 3344)

    • Create files in a temporary directory

      • ai-toolkit(6).exe (PID: 1352)
      • ai-toolkit(6).tmp (PID: 2928)
      • AIToolkit.exe (PID: 1360)

    • Reads the computer name

      • ai-toolkit(6).tmp (PID: 2928)
      • AIToolkit.exe (PID: 1360)
      • wmpnscfg.exe (PID: 3344)

    • Creates files in the program directory

      • ai-toolkit(6).tmp (PID: 2928)

    • Reads the machine GUID from the registry

      • AIToolkit.exe (PID: 1360)

    • Creates files or folders in the user directory

      • ai-toolkit(6).tmp (PID: 2928)
      • AIToolkit.exe (PID: 1360)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3344)

    • Checks proxy server information

      • AIToolkit.exe (PID: 1360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:09 10:48:22+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 60416
InitializedDataSize: 353280
UninitializedDataSize: -
EntryPoint: 0xf3bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.8.0.0
ProductVersionNumber: 7.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: GiliSoft.com
FileDescription: GiliSoft AI Toolkit Setup
FileVersion: 7.8.0
LegalCopyright: Copyright © 2005-2023 GiliSoft International LLC.
ProductName: GiliSoft AI Toolkit
ProductVersion: 7.8.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ai-toolkit(6).exe ai-toolkit(6).tmp no specs aitoolkit.exe wmpnscfg.exe no specs ai-toolkit(6).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1352"C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe" C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe
explorer.exe
User:
admin
Company:
GiliSoft.com
Integrity Level:
HIGH
Description:
GiliSoft AI Toolkit Setup
Exit code:
0
Version:
7.8.0
Modules
Images
c:\users\admin\appdata\local\temp\ai-toolkit(6).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1360"C:\Program Files\GiliSoft\AI Toolkit\AIToolkit.exe" C:\Program Files\GiliSoft\AI Toolkit\AIToolkit.exe
ai-toolkit(6).tmp
User:
admin
Integrity Level:
HIGH
Description:
AIToolkit
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\gilisoft\ai toolkit\aitoolkit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2928"C:\Users\admin\AppData\Local\Temp\is-H2Q2D.tmp\ai-toolkit(6).tmp" /SL5="$1C0142,13333153,414720,C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe" C:\Users\admin\AppData\Local\Temp\is-H2Q2D.tmp\ai-toolkit(6).tmpai-toolkit(6).exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-h2q2d.tmp\ai-toolkit(6).tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3048"C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe" C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exeexplorer.exe
User:
admin
Company:
GiliSoft.com
Integrity Level:
MEDIUM
Description:
GiliSoft AI Toolkit Setup
Exit code:
3221226540
Version:
7.8.0
Modules
Images
c:\users\admin\appdata\local\temp\ai-toolkit(6).exe
c:\windows\system32\ntdll.dll
3344"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
8 648
Read events
8 614
Write events
28
Delete events
6

Modification events

(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
C66067DFAB05D2F006C8AA638D4C7A1B4678A051A0D3E3F475BCF8439F512F09
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\GiliSoft\AI Toolkit\7z.dll
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
90892C56BB31D9654E9FEC80A747DEAE00208301989231FF08A5C134EB3C6605
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
700B0000283AB175A72ADA01
(PID) Process:(2928) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
Executable files
34
Suspicious files
15
Text files
303
Unknown types
1

Dropped files

PID
Process
Filename
Type
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\MinBtn.pngimage
MD5:0348EFB1CB0D30DFF711E4700398FD15
SHA256:48BC6E1264B4AAACDCE930D8FA19A9DC6F1975BC5E57188A342E1AE5B9731EDA
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\Logo.pngimage
MD5:F46BCC778546B6FD445F841A4AE59593
SHA256:8A21D335E25213EA1EF918ECAE3B923180E26DE64B5892D58D02B3296B894E04
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\bg.pngimage
MD5:B816C5B9D4E05F22BE3EE26A2DA3B42B
SHA256:66D976294219EEECBE6E87B611EE06FE3B329592A355B03E0488FCB441593189
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\LowerSpace.pngimage
MD5:B5B83B2BE06F686B3D192094D2E0E2F0
SHA256:912E92DCB6EE06410A2BD75399CB5D6386814CF2D313D57AF4ECD58A10931D17
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\CloseBtn.pngimage
MD5:96E7E5849AF19A2B5626DF65771D2E9C
SHA256:910A3B79C743B30F61DF1DA9C85D466915CEB31767C5E6FF315B332C8F57BFAD
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\CompanyLogo.pngimage
MD5:34D03A29A69A80C128305BB383B85F57
SHA256:D565881B07D80932A13A0ABA41DB31CE2EFE08472304070B1250E721360D50D4
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\ProgressBackground.pngimage
MD5:7F603F018AF24A2FFA8B22D9128DD97C
SHA256:73FE481BCF70C98CCEDF06237183DA9C2F5FFE6EF1A2EE77CBF21D24C17B009F
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\install.pngimage
MD5:F1CCEB528BFC25D1DD6DBA7F09FDC4E1
SHA256:9DBB6FA024D10AD210BD8E2AFF7CDC0A58455C529CEA70E3E744C31CB59B36B5
2928ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-5GB02.tmp\FinishBtn.pngimage
MD5:9598C5668212128DD03CFE75F407C4E5
SHA256:8D05CB51AC9A413115C77F80233124819ABD9412C55F2DC8789AC2039D41191C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1360
AIToolkit.exe
GET
200
104.18.21.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
1360
AIToolkit.exe
GET
200
23.216.77.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2809cc02973b9ef4
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1360
AIToolkit.exe
104.18.21.226:80
secure.globalsign.com
CLOUDFLARENET
shared
1360
AIToolkit.exe
23.216.77.50:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1360
AIToolkit.exe
208.113.198.131:443
www.download.gilisoft.com
DREAMHOST-AS
US
unknown

DNS requests

Domain
IP
Reputation
secure.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.50
  • 23.216.77.48
  • 23.216.77.46
  • 23.216.77.69
  • 23.216.77.80
  • 23.216.77.44
  • 23.216.77.81
  • 23.216.77.79
  • 23.216.77.62
whitelisted
www.download.gilisoft.com
  • 208.113.198.131
unknown

Threats

No threats detected
Process
Message
AIToolkit.exe
C:\Program Files\GiliSoft\AI Toolkit\MagicSkin.dll
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
´´½¨µÄÏÂÔØÀàÖÆ×÷: 03AF8040, ÏÂÔØÎļþ£ºhttps://www.download.gilisoft.com/gs/ai-toolkit/ocr.zip
AIToolkit.exe
½øÈë»ñÈ¡Öض¨Ïò
AIToolkit.exe
»ñÈ¡Öض¨ÏòµØÖ·ÖÐ »ñÈ¡µ½CURLINFO_RESPONSE_CODE£º200
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ai-toolkit(6).exe