File name:

ai-toolkit(6).exe

Full analysis: https://app.any.run/tasks/5926a1f5-71a3-4667-885b-a810ca081ae7
Verdict: Malicious activity
Analysis date: December 09, 2023, 14:02:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3A56F6A4794EE19C6CD8A009FF9D9E2B

SHA1:

6D0A2F22BC947606B09916BED0502D06E5C7F18F

SHA256:

E0B751278AFF5D71176C974B4C9D20094757DF65B5538D52D05EA4944EC7BEBB

SSDEEP:

196608:WJZi+5F0YiQtGpr/3vcGup6LUhqGtdsrZyyU:WJj5CY/tAjxKBhXtdQZfU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ai-toolkit(6).tmp (PID: 2600)
      • ai-toolkit(6).exe (PID: 604)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ai-toolkit(6).tmp (PID: 2600)

    • Reads the Internet Settings

      • ai-toolkit(6).tmp (PID: 2600)
      • AIToolkit.exe (PID: 3832)

    • Reads the Windows owner or organization settings

      • ai-toolkit(6).tmp (PID: 2600)

    • Reads settings of System Certificates

      • AIToolkit.exe (PID: 3832)

    • Drops 7-zip archiver for unpacking

      • ai-toolkit(6).tmp (PID: 2600)

    • Reads security settings of Internet Explorer

      • AIToolkit.exe (PID: 3832)

    • Checks Windows Trust Settings

      • AIToolkit.exe (PID: 3832)

    • Adds/modifies Windows certificates

      • AIToolkit.exe (PID: 3832)

  • INFO

    • Checks supported languages

      • ai-toolkit(6).exe (PID: 604)
      • ai-toolkit(6).tmp (PID: 2600)
      • AIToolkit.exe (PID: 3832)
      • wmpnscfg.exe (PID: 1844)

    • Create files in a temporary directory

      • ai-toolkit(6).exe (PID: 604)
      • ai-toolkit(6).tmp (PID: 2600)
      • AIToolkit.exe (PID: 3832)

    • Reads the computer name

      • ai-toolkit(6).tmp (PID: 2600)
      • AIToolkit.exe (PID: 3832)
      • wmpnscfg.exe (PID: 1844)

    • Creates files in the program directory

      • ai-toolkit(6).tmp (PID: 2600)

    • Reads the machine GUID from the registry

      • AIToolkit.exe (PID: 3832)

    • Creates files or folders in the user directory

      • ai-toolkit(6).tmp (PID: 2600)
      • AIToolkit.exe (PID: 3832)

    • Checks proxy server information

      • AIToolkit.exe (PID: 3832)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:10:09 10:48:22+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 60416
InitializedDataSize: 353280
UninitializedDataSize: -
EntryPoint: 0xf3bc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.8.0.0
ProductVersionNumber: 7.8.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: GiliSoft.com
FileDescription: GiliSoft AI Toolkit Setup
FileVersion: 7.8.0
LegalCopyright: Copyright © 2005-2023 GiliSoft International LLC.
ProductName: GiliSoft AI Toolkit
ProductVersion: 7.8.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ai-toolkit(6).exe ai-toolkit(6).tmp no specs aitoolkit.exe wmpnscfg.exe no specs ai-toolkit(6).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
604"C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe" C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe
explorer.exe
User:
admin
Company:
GiliSoft.com
Integrity Level:
HIGH
Description:
GiliSoft AI Toolkit Setup
Exit code:
0
Version:
7.8.0
Modules
Images
c:\users\admin\appdata\local\temp\ai-toolkit(6).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1844"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2540"C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe" C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exeexplorer.exe
User:
admin
Company:
GiliSoft.com
Integrity Level:
MEDIUM
Description:
GiliSoft AI Toolkit Setup
Exit code:
3221226540
Version:
7.8.0
Modules
Images
c:\users\admin\appdata\local\temp\ai-toolkit(6).exe
c:\windows\system32\ntdll.dll
2600"C:\Users\admin\AppData\Local\Temp\is-PD2O9.tmp\ai-toolkit(6).tmp" /SL5="$1C0142,13333153,414720,C:\Users\admin\AppData\Local\Temp\ai-toolkit(6).exe" C:\Users\admin\AppData\Local\Temp\is-PD2O9.tmp\ai-toolkit(6).tmpai-toolkit(6).exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pd2o9.tmp\ai-toolkit(6).tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3832"C:\Program Files\GiliSoft\AI Toolkit\AIToolkit.exe" C:\Program Files\GiliSoft\AI Toolkit\AIToolkit.exe
ai-toolkit(6).tmp
User:
admin
Integrity Level:
HIGH
Description:
AIToolkit
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\gilisoft\ai toolkit\aitoolkit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
8 648
Read events
8 614
Write events
28
Delete events
6

Modification events

(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
DA648F9958A2290C13B42681A9813EDC7D94CFD3637CDC685FC4379D61DFD2AE
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Program Files\GiliSoft\AI Toolkit\7z.dll
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
F55F28B335D9CD1BB73D68D82279FAFE74DBB74814A6978A1B1DE953D936BC9C
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
280A0000CEE89761A82ADA01
(PID) Process:(2600) ai-toolkit(6).tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
Executable files
34
Suspicious files
16
Text files
303
Unknown types
0

Dropped files

PID
Process
Filename
Type
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\MinBtn.pngimage
MD5:0348EFB1CB0D30DFF711E4700398FD15
SHA256:48BC6E1264B4AAACDCE930D8FA19A9DC6F1975BC5E57188A342E1AE5B9731EDA
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\CommonBtn.pngimage
MD5:593394F776971EADDE458A1D05AC611E
SHA256:EE9A06D34A7902E91445515D93EF03D8A9F7242C5385A0BEB108BC6F33B43E4A
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\Logo.pngimage
MD5:F46BCC778546B6FD445F841A4AE59593
SHA256:8A21D335E25213EA1EF918ECAE3B923180E26DE64B5892D58D02B3296B894E04
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\bg.pngimage
MD5:B816C5B9D4E05F22BE3EE26A2DA3B42B
SHA256:66D976294219EEECBE6E87B611EE06FE3B329592A355B03E0488FCB441593189
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\CloseBtn1.pngimage
MD5:5A1A092E20F11185C6013BB84720BD7E
SHA256:EF0CFCD17362FD1C3DB33BAFCE55ED06D4CB78559BA91AEBADD5A0328DB80876
604ai-toolkit(6).exeC:\Users\admin\AppData\Local\Temp\is-PD2O9.tmp\ai-toolkit(6).tmpexecutable
MD5:682D35933112FB061E1A7B527206E6E5
SHA256:F261C8032A5FC17643A891B7BC125EE68A054543104725B9C251E81BBA519DCF
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\CompanyLogo.pngimage
MD5:34D03A29A69A80C128305BB383B85F57
SHA256:D565881B07D80932A13A0ABA41DB31CE2EFE08472304070B1250E721360D50D4
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\CheckBox.pngimage
MD5:B7D4C7FD2E1D5FA7FCE1A8A8A1581B9D
SHA256:F944F62D64956E63105FC2645C878901C447122060C20C22F4E6EB929C26CFE5
2600ai-toolkit(6).tmpC:\Users\admin\AppData\Local\Temp\is-VB6I7.tmp\ProgressFrame.pngimage
MD5:7F603F018AF24A2FFA8B22D9128DD97C
SHA256:73FE481BCF70C98CCEDF06237183DA9C2F5FFE6EF1A2EE77CBF21D24C17B009F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3832
AIToolkit.exe
GET
200
151.101.66.133:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
3832
AIToolkit.exe
GET
200
173.222.108.195:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ede20510d642a7ab
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3832
AIToolkit.exe
151.101.66.133:80
secure.globalsign.com
FASTLY
US
unknown
3832
AIToolkit.exe
173.222.108.195:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
3832
AIToolkit.exe
208.113.198.131:443
www.download.gilisoft.com
DREAMHOST-AS
US
unknown

DNS requests

Domain
IP
Reputation
secure.globalsign.com
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.2.133
  • 151.101.194.133
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.195
  • 173.222.108.226
  • 173.222.108.249
  • 173.222.108.243
whitelisted
www.download.gilisoft.com
  • 208.113.198.131
unknown
download.gilisoft.com
  • 208.113.198.131
unknown

Threats

No threats detected
Process
Message
AIToolkit.exe
C:\Program Files\GiliSoft\AI Toolkit\MagicSkin.dll
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
111111111111111111111111111111111111111111111111111111111
AIToolkit.exe
´´½¨µÄÏÂÔØÀàÖÆ×÷: 033495F0, ÏÂÔØÎļþ£ºhttps://www.download.gilisoft.com/gs/ai-toolkit/asr.zip
AIToolkit.exe
½øÈë»ñÈ¡Öض¨Ïò
AIToolkit.exe
»ñÈ¡Öض¨ÏòµØÖ·ÖÐ »ñÈ¡µ½CURLINFO_RESPONSE_CODE£º200
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ai-toolkit(6).exe