File name:

AULA_F75_RGB.zip

Full analysis: https://app.any.run/tasks/767b4a24-5ba1-42b1-9354-e11e26980d0a
Verdict: Malicious activity
Analysis date: June 01, 2024, 11:45:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

3642CA0B1FE79E6A37EAB0D8449515BD

SHA1:

ACFF6EC5B27013C46F7629FB41E509C36869CC4D

SHA256:

04A95519722CD2B79AF6C5D934EC536B34969A6F86BC0D6F1EE95E02C2D5E953

SSDEEP:

98304:tHj88nRL9X9j+2C2xNOiYVapDwlFUrYnLyKHa7T0t7jFiWh//ZkgNItbI68EElGq:IdbuUPD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)
      • AULA F75 Setup v2.0 20230923(1).exe (PID: 2044)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)

    • Executable content was dropped or overwritten

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)
      • AULA F75 Setup v2.0 20230923(1).exe (PID: 2044)

    • Reads the Windows owner or organization settings

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)

  • INFO

    • Manual execution by a user

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 4072)
      • AULA F75 Setup v2.0 20230923(1).exe (PID: 2044)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Checks supported languages

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 2044)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)
      • OemDrv.exe (PID: 1768)

    • Create files in a temporary directory

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 2044)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)

    • Reads the computer name

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)
      • OemDrv.exe (PID: 1768)

    • Creates files or folders in the user directory

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)

    • Creates files in the program directory

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)

    • Creates a software uninstall entry

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2023:11:27 13:39:42
ZipCRC: 0x272c7756
ZipCompressedSize: 2964062
ZipUncompressedSize: 3138372
ZipFileName: AULA F75 Setup v2.0 20230923(1).exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe aula f75 setup v2.0 20230923(1).exe no specs aula f75 setup v2.0 20230923(1).exe aula f75 setup v2.0 20230923(1).tmp oemdrv.exe no specs devicedisplayobjectprovider.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\is-6VDPN.tmp\AULA F75 Setup v2.0 20230923(1).tmp" /SL5="$6015A,2712295,281088,C:\Users\admin\Desktop\AULA F75 Setup v2.0 20230923(1).exe" C:\Users\admin\AppData\Local\Temp\is-6VDPN.tmp\AULA F75 Setup v2.0 20230923(1).tmp
AULA F75 Setup v2.0 20230923(1).exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1048.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-6vdpn.tmp\aula f75 setup v2.0 20230923(1).tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
764C:\Windows\system32\DeviceDisplayObjectProvider.exe -EmbeddingC:\Windows\System32\DeviceDisplayObjectProvider.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Device Display Object Function Discovery Provider
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\devicedisplayobjectprovider.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1768"C:\Program Files\AULA\F75\OemDrv.exe"C:\Program Files\AULA\F75\OemDrv.exeAULA F75 Setup v2.0 20230923(1).tmp
User:
admin
Integrity Level:
HIGH
Version:
1, 0, 0, 0
Modules
Images
c:\program files\aula\f75\oemdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
2044"C:\Users\admin\Desktop\AULA F75 Setup v2.0 20230923(1).exe" C:\Users\admin\Desktop\AULA F75 Setup v2.0 20230923(1).exe
explorer.exe
User:
admin
Company:
AULA
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\aula f75 setup v2.0 20230923(1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3976"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\AULA_F75_RGB.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4072"C:\Users\admin\Desktop\AULA F75 Setup v2.0 20230923(1).exe" C:\Users\admin\Desktop\AULA F75 Setup v2.0 20230923(1).exeexplorer.exe
User:
admin
Company:
AULA
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\desktop\aula f75 setup v2.0 20230923(1).exe
c:\windows\system32\ntdll.dll
Total events
6 738
Read events
6 711
Write events
27
Delete events
0

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\AULA_F75_RGB.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
17
Suspicious files
6
Text files
295
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.16003\AULA F75 Setup v2.0 20230923(1).exeexecutable
MD5:D2FE9AA9AA2373A22FF48C2CBC49B4F9
SHA256:53C05F8669AA0BB2FD950650EA845E9410205F5D543FE192C6C3563FC46CC1CE
2044AULA F75 Setup v2.0 20230923(1).exeC:\Users\admin\AppData\Local\Temp\is-6VDPN.tmp\AULA F75 Setup v2.0 20230923(1).tmpexecutable
MD5:45115519D1F8B09519FEF32A2612B9FC
SHA256:02EEC62B7139A7CFC747D5F897CCEDCF76EA154EC63EDE231436A0F89E317387
116AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\is-RMTC6.tmpexecutable
MD5:C7E66DA98CFBA1F005B8B3371487850C
SHA256:98D84EDDC10C5F10F6E1255CCE1DED3BE00F441A6F30D30EB6E3A299082FAEF7
116AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-BMHA2.tmpimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
116AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-0PQSQ.tmpimage
MD5:979C24742E891539F49A8EC7DD43C25A
SHA256:7EFDA788FE9761722750AD5EB8B7957BC8128E517981AD0E00F4F668DC0915D9
116AULA F75 Setup v2.0 20230923(1).tmpC:\Users\admin\AppData\Local\Temp\is-JNLF2.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
116AULA F75 Setup v2.0 20230923(1).tmpC:\Users\admin\AppData\Local\Temp\is-JNLF2.tmp\InitSetup.dllexecutable
MD5:3BB4A9FD05F14CC833291F7332565843
SHA256:72F5CFE575253EAFF31E27CE8F70B4CAAA079D2C42A4130515EECF7F0967115D
116AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-Q8VJN.tmpimage
MD5:F5D717DE64D690E2323905B64CAAA756
SHA256:A4754B1697572981F62082510C243D2E48326874595066FBEFB4469D902572D4
116AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\button01_dn.pngimage
MD5:1F0C2C13A82D737395EC081D9E25F1B6
SHA256:D7E2EA68865A2E64888DFFE3EF076249A5C5F82344E3DFA7312685A20BBE6DB1
116AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-H7GQB.tmpimage
MD5:11A10943AE8859990E1B1CC4499FEEFF
SHA256:1B69AEE17E5B1E54530F8958F63FC36EFC5704AEDE580C8ED5369E3164D56F44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
AULA F75 Setup v2.0 20230923(1).tmp
InitSetup: Remove Folder OK.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AULA_F75_RGB.zip