File name:

AULA F75 Setup v2.0 20230923(1).exe

Full analysis: https://app.any.run/tasks/ab27fabb-2936-4447-bb77-e6d72ab52f72
Verdict: Malicious activity
Analysis date: June 19, 2024, 04:05:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D2FE9AA9AA2373A22FF48C2CBC49B4F9

SHA1:

4D87E97D2A818BB54EE1CDB3866B09AF8A180ABD

SHA256:

53C05F8669AA0BB2FD950650EA845E9410205F5D543FE192C6C3563FC46CC1CE

SSDEEP:

98304:G4OncSfY6JRLtZ9V+2u8CN8GY1t/JwxFFrun3yKH1gz0t7jxiwh/hfg6NztbysIY:3BWPS6Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 3216)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 3216)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

    • Process drops legitimate windows executable

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

    • Reads the Windows owner or organization settings

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

  • INFO

    • Manual execution by a user

      • explorer.exe (PID: 2748)
      • explorer.exe (PID: 3156)

    • Checks supported languages

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 3216)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)
      • OemDrv.exe (PID: 3484)

    • Create files in a temporary directory

      • AULA F75 Setup v2.0 20230923(1).exe (PID: 3216)
      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

    • Creates files or folders in the user directory

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

    • Reads the computer name

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)
      • OemDrv.exe (PID: 3484)

    • Creates files in the program directory

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)

    • Creates a software uninstall entry

      • AULA F75 Setup v2.0 20230923(1).tmp (PID: 3200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (81.5)
.exe | Win32 Executable Delphi generic (10.5)
.exe | Win32 Executable (generic) (3.3)
.exe | Win16/32 Executable Delphi generic (1.5)
.exe | Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:08:15 19:29:32+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 194048
UninitializedDataSize: -
EntryPoint: 0x163c4
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: AULA
FileDescription:
FileVersion:
LegalCopyright:
ProductName:
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aula f75 setup v2.0 20230923(1).exe aula f75 setup v2.0 20230923(1).tmp explorer.exe no specs oemdrv.exe no specs explorer.exe no specs Shell Security Editor no specs aula f75 setup v2.0 20230923(1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2748"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3156"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3200"C:\Users\admin\AppData\Local\Temp\is-FQSI5.tmp\AULA F75 Setup v2.0 20230923(1).tmp" /SL5="$B016A,2712295,281088,C:\Users\admin\AppData\Local\Temp\AULA F75 Setup v2.0 20230923(1).exe" C:\Users\admin\AppData\Local\Temp\is-FQSI5.tmp\AULA F75 Setup v2.0 20230923(1).tmp
AULA F75 Setup v2.0 20230923(1).exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1048.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-fqsi5.tmp\aula f75 setup v2.0 20230923(1).tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3216"C:\Users\admin\AppData\Local\Temp\AULA F75 Setup v2.0 20230923(1).exe" C:\Users\admin\AppData\Local\Temp\AULA F75 Setup v2.0 20230923(1).exe
explorer.exe
User:
admin
Company:
AULA
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\aula f75 setup v2.0 20230923(1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3368"C:\Users\admin\AppData\Local\Temp\AULA F75 Setup v2.0 20230923(1).exe" C:\Users\admin\AppData\Local\Temp\AULA F75 Setup v2.0 20230923(1).exeexplorer.exe
User:
admin
Company:
AULA
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\aula f75 setup v2.0 20230923(1).exe
c:\windows\system32\ntdll.dll
3484"C:\Program Files\AULA\F75\OemDrv.exe"C:\Program Files\AULA\F75\OemDrv.exeAULA F75 Setup v2.0 20230923(1).tmp
User:
admin
Integrity Level:
HIGH
Version:
1, 0, 0, 0
Modules
Images
c:\program files\aula\f75\oemdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
3648C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
3 125
Read events
3 109
Write events
16
Delete events
0

Modification events

(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.3.4 (u)
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\AULA\F75
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\AULA\F75\
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
AULA\F75
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:DisplayName
Value:
AULA F75
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\AULA\F75\uninstall.dll
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\AULA\F75\unins000.exe"
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\AULA\F75\unins000.exe" /SILENT
(PID) Process:(3200) AULA F75 Setup v2.0 20230923(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{212860F4-C588-4A41-90A2-B4A2B11D6223}_is1
Operation:writeName:DisplayVersion
Value:
2.0
Executable files
14
Suspicious files
5
Text files
297
Unknown types
1

Dropped files

PID
Process
Filename
Type
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\is-1T5IB.tmpexecutable
MD5:C7E66DA98CFBA1F005B8B3371487850C
SHA256:98D84EDDC10C5F10F6E1255CCE1DED3BE00F441A6F30D30EB6E3A299082FAEF7
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\unins000.exeexecutable
MD5:C7E66DA98CFBA1F005B8B3371487850C
SHA256:98D84EDDC10C5F10F6E1255CCE1DED3BE00F441A6F30D30EB6E3A299082FAEF7
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-3M9IT.tmpimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\audio_bar.pngimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Users\admin\AppData\Local\Temp\is-T4G33.tmp\InitSetup.dllexecutable
MD5:3BB4A9FD05F14CC833291F7332565843
SHA256:72F5CFE575253EAFF31E27CE8F70B4CAAA079D2C42A4130515EECF7F0967115D
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Users\admin\AppData\Local\Temp\is-T4G33.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
3216AULA F75 Setup v2.0 20230923(1).exeC:\Users\admin\AppData\Local\Temp\is-FQSI5.tmp\AULA F75 Setup v2.0 20230923(1).tmpexecutable
MD5:45115519D1F8B09519FEF32A2612B9FC
SHA256:02EEC62B7139A7CFC747D5F897CCEDCF76EA154EC63EDE231436A0F89E317387
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-LVLC2.tmpimage
MD5:1F0C2C13A82D737395EC081D9E25F1B6
SHA256:D7E2EA68865A2E64888DFFE3EF076249A5C5F82344E3DFA7312685A20BBE6DB1
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\is-U1FNN.tmpimage
MD5:F5D717DE64D690E2323905B64CAAA756
SHA256:A4754B1697572981F62082510C243D2E48326874595066FBEFB4469D902572D4
3200AULA F75 Setup v2.0 20230923(1).tmpC:\Program Files\AULA\F75\skins\bar_ov.pngimage
MD5:F2D89DA5DF2B6905E9AEA92A8FFA9BFB
SHA256:39ABBC4504208A3DDFD2242EF3E336F42B869C1B1D6AEB7E8E1CBB7936638470
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
217.20.57.34:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.220.255.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
217.20.57.34:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5445ebff82c5850f
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2564
svchost.exe
239.255.255.250:3702
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
217.20.57.34:80
ctldl.windowsupdate.com
US
unknown
1372
svchost.exe
23.220.255.21:80
crl.microsoft.com
Akamai International B.V.
IT
unknown
1372
svchost.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
217.20.57.34:80
ctldl.windowsupdate.com
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 217.20.57.34
  • 217.20.57.18
whitelisted
crl.microsoft.com
  • 23.220.255.21
  • 23.220.255.25
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted

Threats

No threats detected
Process
Message
AULA F75 Setup v2.0 20230923(1).tmp
InitSetup: Remove Folder OK.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AULA F75 Setup v2.0 20230923(1).exe