File name:

aida 3.94.2.zip

Full analysis: https://app.any.run/tasks/21bd44c8-743c-4abb-8b2c-d687c658d7e6
Verdict: Malicious activity
Analysis date: January 12, 2025, 19:39:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
antivm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

6D5A81B16FE1A15BD72547AD986EEE67

SHA1:

17BC06C4A880C9B0F3507B5B60F0278E91AE039D

SHA256:

08E5880862F74D45D03DBB598629893C40C4498DE4BD23502F7DAC1D4F9FA9F9

SSDEEP:

98304:wpEicu2svXUj0r5luFlN0xj/P3rYcOzuR815I1/uFH5ZNmWOC5fpPLRgjlhy3Yj+:1YWWI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 5400)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5400)

    • Starts application with an unusual extension

      • aida32.exe (PID: 6696)
      • aida32.exe (PID: 936)

    • Executable content was dropped or overwritten

      • aida32.bin (PID: 6712)
      • aida32.bin (PID: 5000)

    • There is functionality for VM detection VirtualBox (YARA)

      • aida32.bin (PID: 6712)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5400)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 5400)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6572)
      • OpenWith.exe (PID: 7128)
      • OpenWith.exe (PID: 4716)

    • Checks supported languages

      • aida32.exe (PID: 6696)
      • aida32.bin (PID: 6712)
      • aida32.exe (PID: 7048)
      • aida32.exe (PID: 7016)
      • aida32.bin (PID: 5000)
      • aida32.exe (PID: 936)

    • Reads the computer name

      • aida32.bin (PID: 6712)
      • aida32.bin (PID: 5000)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 5400)

    • Create files in a temporary directory

      • aida32.bin (PID: 6712)
      • aida32.bin (PID: 5000)

    • Manual execution by a user

      • aida32.exe (PID: 7048)
      • aida32.exe (PID: 7016)
      • aida32.exe (PID: 936)

    • Reads CPU info

      • aida32.bin (PID: 6712)
      • aida32.bin (PID: 5000)

    • UPX packer has been detected

      • aida32.bin (PID: 6712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2003:03:28 00:00:00
ZipCRC: 0x2ee9a436
ZipCompressedSize: 13353
ZipUncompressedSize: 167936
ZipFileName: DB - Access.mdb
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe openwith.exe no specs aida32.exe no specs aida32.bin rundll32.exe no specs aida32.exe no specs aida32.exe no specs openwith.exe no specs openwith.exe no specs aida32.exe no specs aida32.bin

Process information

PID
CMD
Path
Indicators
Parent process
936"C:\Users\admin\Downloads\aida32.exe" C:\Users\admin\Downloads\aida32.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\aida32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
4716C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5000"C:\Users\admin\Downloads\aida32.exe" C:\Users\admin\Downloads\aida32.bin
aida32.exe
User:
admin
Company:
Tamas Miklos
Integrity Level:
MEDIUM
Description:
AIDA32 - Worldwide SysInfo Tool
Version:
3.94.2
Modules
Images
c:\users\admin\downloads\aida32.bin
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5400"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\aida 3.94.2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6572C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6696"C:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5400.12136\aida32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
6712"C:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.bin
aida32.exe
User:
admin
Company:
Tamas Miklos
Integrity Level:
MEDIUM
Description:
AIDA32 - Worldwide SysInfo Tool
Exit code:
0
Version:
3.94.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa5400.12136\aida32.bin
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6972C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7016"C:\Users\admin\Downloads\aida32.exe" C:\Users\admin\Downloads\aida32.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\aida32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
7048"C:\Users\admin\Downloads\aida32.exe" C:\Users\admin\Downloads\aida32.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\aida32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
Total events
4 779
Read events
4 753
Write events
13
Delete events
13

Modification events

(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\aida 3.94.2.zip
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(5400) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
29
Suspicious files
8
Text files
73
Unknown types
1

Dropped files

PID
Process
Filename
Type
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\DB - Access.mdbmdb
MD5:F86C5C3A95FEE8CEAA65CBE71193D7B8
SHA256:A240F4F0BAEEE1570AD938891B728E264D5DB0DDEA67EC1B21C0F61A5728DED7
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.vxdexecutable
MD5:9AD3F735DC0B9BEA26849D2F7D93573D
SHA256:5C9EBA34CC2E4D9EB5089F790C225ADE1354E18E3E8C3C213D642ADE9044685F
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.binexecutable
MD5:650D7EC24F7B687AF36331AE5DAAB794
SHA256:6CAA021FA8DBFBAFC2D51889B3401E26CE3FE53C1E11C687FD8295742857349D
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida_xpicons.dllexecutable
MD5:7991B63DA427741AA0DC525A2F24026D
SHA256:0371FACA2EA8CD28CD69D6A388B42EF8D055D4015DF9812440B67E957475F634
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida_icons.dllexecutable
MD5:2AA65A59F12D6B22FCF266CD0957B7FC
SHA256:DC8B9566C88C72953802ACA082C7B1A07AEC5990382634249813A9D1CE053D81
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.datbinary
MD5:5A65FA16CE2AE05A6F5FF62FD423010B
SHA256:5D1D50BD4CCB4F9B493BE56A43078D05871862E370981C30B82001D258BF0FC6
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa5400.11177\aida32.datbinary
MD5:5A65FA16CE2AE05A6F5FF62FD423010B
SHA256:5D1D50BD4CCB4F9B493BE56A43078D05871862E370981C30B82001D258BF0FC6
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\bg.lngtext
MD5:9DFDEC18EB1C0E24F51EF6E930AE4961
SHA256:9A907DC58C3F79D1D26E6C03EBD2ED2CC6A157438D82C7F0E38650780C722CD7
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida32.sysexecutable
MD5:8E8D4D4A94495CB2DEDA843F60534E98
SHA256:B17FC6D38BEFCCB5DFE9D921679E89C9C8DA94D49394CD37563EADEF62EDEA14
5400WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa5400.12136\aida_directx.dllexecutable
MD5:BCBD7B004BA994CB8395605B53D3D10C
SHA256:3E74FFBFA8773DC316A0C80AA5AF589A0F687268455E56803CA698E95DCE7FE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
50
DNS requests
13
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3884
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4684
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4684
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.153
  • 104.126.37.177
  • 104.126.37.160
  • 104.126.37.154
  • 104.126.37.162
  • 104.126.37.147
  • 104.126.37.163
  • 2.16.204.143
  • 2.16.204.157
  • 2.16.204.153
  • 2.16.204.141
  • 2.16.204.147
  • 2.16.204.138
  • 2.16.204.135
  • 2.16.204.150
  • 2.16.204.155
whitelisted
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
  • 2603:1030:800:5::bfee:a08d
whitelisted
171.39.242.20.in-addr.arpa
unknown
d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
login.live.com
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.4
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aida 3.94.2.zip