File name:

rp505enu.exe

Full analysis: https://app.any.run/tasks/b1d3267d-f711-47a1-a024-36534a4394b2
Verdict: Malicious activity
Analysis date: June 05, 2024, 06:48:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

2700A631F3B171F58C054A59E4486286

SHA1:

0B08E16C5F47EC08E3A6A56A86132AF40CD9A69B

SHA256:

5DBD36C7D933B4B709319CA6434143612CF03A7D56CAA7DC23EBC6901E8027BD

SSDEEP:

98304:pCois7lzI8IanypO+VWvnYLmfkE2oM33JMs8j7WE4vTr2l3P0p+33zWndLL2b0uy:WamqKenewifDSwBrtccPuu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rp505enu.exe (PID: 4084)
      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rp505enu.exe (PID: 4084)
      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)

    • Process drops legitimate windows executable

      • rp505enu.exe (PID: 4084)
      • _INS5576._MP (PID: 928)

    • Starts application with an unusual extension

      • Setup.exe (PID: 1200)

    • Creates file in the systems drive root

      • _ISDel.exe (PID: 1120)

  • INFO

    • Checks supported languages

      • rp505enu.exe (PID: 4084)
      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)
      • _ISDel.exe (PID: 1120)

    • Reads the computer name

      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)
      • _ISDel.exe (PID: 1120)

    • Create files in a temporary directory

      • rp505enu.exe (PID: 4084)
      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (53)
.exe | InstallShield setup (16.9)
.exe | Win32 Executable MS Visual C++ (generic) (12.2)
.exe | Win64 Executable (generic) (10.8)
.dll | Win32 Dynamic Link Library (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1998:03:26 14:31:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 69120
InitializedDataSize: 75776
UninitializedDataSize: -
EntryPoint: 0xc110
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.5.0
ProductVersionNumber: 2.1.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: InstallShield Software Corporation
FileDescription: PackageForTheWeb Stub
FileVersion: 2.02.001
InternalName: STUB.EXE
LegalCopyright: Copyright © 1996 InstallShield Software Corporation
OriginalFileName: STUB32.EXE
ProductName: PackageForTheWeb Stub
ProductVersion: 2.02.001
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rp505enu.exe setup.exe _ins5576._mp _isdel.exe no specs rp505enu.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MPC:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
Setup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield Engine
Version:
5, 53, 168, 0
Modules
Images
c:\users\admin\appdata\local\temp\_istmp1.dir\_ins5576._mp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
1120C:\Users\admin\AppData\Local\Temp\pft4940~tmp\_ISDEL.EXEC:\Users\admin\AppData\Local\Temp\pft4940~tmp\_ISDel.exeSetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
32-bit InstallShield Deleter.
Version:
5, 51, 138, 0
Modules
Images
c:\users\admin\appdata\local\temp\pft4940~tmp\_isdel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
1200"C:\Users\admin\AppData\Local\Temp\pft4940~tmp\Setup.exe" /SMSC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Setup.exe
rp505enu.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
32-bit Setup Launcher
Version:
5, 52, 164, 0
Modules
Images
c:\users\admin\appdata\local\temp\pft4940~tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3972"C:\Users\admin\AppData\Local\Temp\rp505enu.exe" C:\Users\admin\AppData\Local\Temp\rp505enu.exeexplorer.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
PackageForTheWeb Stub
Exit code:
3221226540
Version:
2.02.001
Modules
Images
c:\users\admin\appdata\local\temp\rp505enu.exe
c:\windows\system32\ntdll.dll
4084"C:\Users\admin\AppData\Local\Temp\rp505enu.exe" C:\Users\admin\AppData\Local\Temp\rp505enu.exe
explorer.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
PackageForTheWeb Stub
Version:
2.02.001
Modules
Images
c:\users\admin\appdata\local\temp\rp505enu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
547
Read events
547
Write events
0
Delete events
0

Modification events

No data
Executable files
47
Suspicious files
45
Text files
37
Unknown types
27

Dropped files

PID
Process
Filename
Type
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\pftw1.pkg
MD5:
SHA256:
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Help\ENU\MiniReader.pdfpdf
MD5:D4991B09EF1DA6EDBE5E8980E79AC2E9
SHA256:A2E4F329A28E0C02952A778888D361EF98ED227E9DE6DD83BC810C3BD7C71BC9
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\data1.cabcompressed
MD5:71AF230907090AE68287B861B8A694BC
SHA256:BA74335C7AA56E4DE7D8A162677C572A2B24F8936A80A00E3F7F12DFEBA32714
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Abcpy.inibinary
MD5:9EC7E0AAC1B0D2068BCCCACC2AC38988
SHA256:A39624BB8B63F2225ECFA69D1A1D812F309091992BD6788CB7EC47C2EC7F5914
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Help\ENU\Reader.pdfpdf
MD5:7C1E26BC1B70F710A87B7CE9F7F19570
SHA256:5B3297DD6FA74969C28A5D17DEB37D4BA4A90C92FB0853A530F0440D8DB30308
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Help\ENU\ACROBAT.PDFpdf
MD5:648718655C7A155F3D07AEE38DA3DFE5
SHA256:2DF5A314C95BF112998520F332E8C1F33F5083CD47FEFC050BC54FDC4DA031B1
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\DATA.TAGtext
MD5:AC8B33C0C4BF3DC58794842E49AB9C00
SHA256:38B5E9734FFDF1FDCBD9B0BD57E20B19596FFD19AC877C981448D2D0912DCB1A
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\layout.binbinary
MD5:F3BFCEB7370B4E99919471430F4F8DB1
SHA256:408AD75CAB4CBE7A00B62B16F4675738DD5F83624DA233B5A6538C0A9A5C57F8
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\os.dattext
MD5:478F65A0B922B6BA0A6CE99E1D15C336
SHA256:BE2292517342DE82D50CEFBACB185E36558FCDFBF686692E7DF08A80331F9BEE
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\AceLite.dllexecutable
MD5:E955393B00B23627B891F0999246ED6C
SHA256:9EDF9D7077C6C8E5CB363A54AB1948E9EB732D7B053455DBCBCA47DF62915CA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rp505enu.exe