File name:

AULA F99 Setup v2.0 20230725(1).exe

Full analysis: https://app.any.run/tasks/f0fb650f-3648-4ed9-a90e-d3975df93300
Verdict: Malicious activity
Analysis date: May 23, 2024, 13:01:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1EC7DFC68F6CD0A5AD54BF020AA28834

SHA1:

81CDBE0E6931DD5A2BFE38C9BDDE40124A4B4ACE

SHA256:

EADC9E3ED75CAF6F6D36F45CC211618A90133688A75B4F1027CA99A031D4E2CA

SSDEEP:

98304:G4OncSfskc0HsgmWlF6p/yivOvgDuiBY0xDrlbz58yxBrwOGAif44zG58GyTIvYn:/CclTeZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AULA F99 Setup v2.0 20230725(1).exe (PID: 4068)
      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AULA F99 Setup v2.0 20230725(1).exe (PID: 4068)
      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)

    • Process drops legitimate windows executable

      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)

    • Reads the Windows owner or organization settings

      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)

  • INFO

    • Checks supported languages

      • AULA F99 Setup v2.0 20230725(1).exe (PID: 4068)
      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)
      • OemDrv.exe (PID: 2116)

    • Create files in a temporary directory

      • AULA F99 Setup v2.0 20230725(1).exe (PID: 4068)
      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)

    • Reads the computer name

      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)
      • OemDrv.exe (PID: 2116)

    • Creates files or folders in the user directory

      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)
      • OemDrv.exe (PID: 2116)

    • Creates files in the program directory

      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)

    • Creates a software uninstall entry

      • AULA F99 Setup v2.0 20230725(1).tmp (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (81.5)
.exe | Win32 Executable Delphi generic (10.5)
.exe | Win32 Executable (generic) (3.3)
.exe | Win16/32 Executable Delphi generic (1.5)
.exe | Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:08:15 19:29:32+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 194048
UninitializedDataSize: -
EntryPoint: 0x163c4
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: AULA
FileDescription:
FileVersion:
LegalCopyright:
ProductName:
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aula f99 setup v2.0 20230725(1).exe aula f99 setup v2.0 20230725(1).tmp oemdrv.exe no specs aula f99 setup v2.0 20230725(1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2116"C:\Program Files\AULA\F99\OemDrv.exe"C:\Program Files\AULA\F99\OemDrv.exeAULA F99 Setup v2.0 20230725(1).tmp
User:
admin
Integrity Level:
HIGH
Exit code:
2
Version:
1, 0, 0, 0
Modules
Images
c:\program files\aula\f99\oemdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
3964"C:\Users\admin\AppData\Local\Temp\AULA F99 Setup v2.0 20230725(1).exe" C:\Users\admin\AppData\Local\Temp\AULA F99 Setup v2.0 20230725(1).exeexplorer.exe
User:
admin
Company:
AULA
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\aula f99 setup v2.0 20230725(1).exe
c:\windows\system32\ntdll.dll
4068"C:\Users\admin\AppData\Local\Temp\AULA F99 Setup v2.0 20230725(1).exe" C:\Users\admin\AppData\Local\Temp\AULA F99 Setup v2.0 20230725(1).exe
explorer.exe
User:
admin
Company:
AULA
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\aula f99 setup v2.0 20230725(1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4084"C:\Users\admin\AppData\Local\Temp\is-VO8EI.tmp\AULA F99 Setup v2.0 20230725(1).tmp" /SL5="$30138,2783199,281088,C:\Users\admin\AppData\Local\Temp\AULA F99 Setup v2.0 20230725(1).exe" C:\Users\admin\AppData\Local\Temp\is-VO8EI.tmp\AULA F99 Setup v2.0 20230725(1).tmp
AULA F99 Setup v2.0 20230725(1).exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1048.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vo8ei.tmp\aula f99 setup v2.0 20230725(1).tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
2 789
Read events
2 773
Write events
16
Delete events
0

Modification events

(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.3.4 (u)
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\AULA\F99
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\AULA\F99\
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
AULA\F99
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:DisplayName
Value:
AULA F99
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\AULA\F99\uninstall.dll
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\AULA\F99\unins000.exe"
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\AULA\F99\unins000.exe" /SILENT
(PID) Process:(4084) AULA F99 Setup v2.0 20230725(1).tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA0A7DE-0918-454B-AC41-DA0F0E257A72}_is1
Operation:writeName:DisplayVersion
Value:
2.0
Executable files
19
Suspicious files
7
Text files
298
Unknown types
0

Dropped files

PID
Process
Filename
Type
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Users\admin\AppData\Local\Temp\is-8P95R.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
4068AULA F99 Setup v2.0 20230725(1).exeC:\Users\admin\AppData\Local\Temp\is-VO8EI.tmp\AULA F99 Setup v2.0 20230725(1).tmpexecutable
MD5:45115519D1F8B09519FEF32A2612B9FC
SHA256:02EEC62B7139A7CFC747D5F897CCEDCF76EA154EC63EDE231436A0F89E317387
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\skins\is-MP6GN.tmpimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\is-E15IJ.tmpexecutable
MD5:3F9BBBCC4C16EE89F2ABDC015CFD41C2
SHA256:1C3160E076D6E065115A4E1B6E73882E064E1DAEF26A4918874DC102496092B8
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\skins\audio_bar.pngimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\skins\bar_ov.pngimage
MD5:F2D89DA5DF2B6905E9AEA92A8FFA9BFB
SHA256:39ABBC4504208A3DDFD2242EF3E336F42B869C1B1D6AEB7E8E1CBB7936638470
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\skins\is-0AHUG.tmpimage
MD5:979C24742E891539F49A8EC7DD43C25A
SHA256:7EFDA788FE9761722750AD5EB8B7957BC8128E517981AD0E00F4F668DC0915D9
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\unins000.exeexecutable
MD5:3F9BBBCC4C16EE89F2ABDC015CFD41C2
SHA256:1C3160E076D6E065115A4E1B6E73882E064E1DAEF26A4918874DC102496092B8
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\skins\is-MUKNN.tmpimage
MD5:F2D89DA5DF2B6905E9AEA92A8FFA9BFB
SHA256:39ABBC4504208A3DDFD2242EF3E336F42B869C1B1D6AEB7E8E1CBB7936638470
4084AULA F99 Setup v2.0 20230725(1).tmpC:\Program Files\AULA\F99\skins\is-08Q5V.tmpimage
MD5:1F0C2C13A82D737395EC081D9E25F1B6
SHA256:D7E2EA68865A2E64888DFFE3EF076249A5C5F82344E3DFA7312685A20BBE6DB1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
AULA F99 Setup v2.0 20230725(1).tmp
InitSetup: Remove Folder OK.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AULA F99 Setup v2.0 20230725(1).exe