File name: | PANDAFREEAV.exe.7z |
Full analysis: | https://app.any.run/tasks/2a52a337-4164-474a-ae42-ad898cb3b923 |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 20:59:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | EE2D971CECF7C7C5B94B1DB04F324007 |
SHA1: | 7BA348194261A903938E15265B0F73C579123E0D |
SHA256: | 4CFBFC663343D9B814D3F34142D9732B70508FDF82C1AE15D927A13840EF0AD1 |
SSDEEP: | 49152:bsNAb4fijC72sqTRBFrshjHk1gb/sCTB4ouI/YEeifx6Ekm1:qfi2SFTRBFIhOC14e/6tEt |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2732 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PANDAFREEAV.exe.7z" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
1324 | "C:\Users\admin\Desktop\PANDAFREEAV.exe" | C:\Users\admin\Desktop\PANDAFREEAV.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Panda Security, S.L. Integrity Level: MEDIUM Description: Panda Security SFX Exit code: 3221226540 Version: 15.14.5.0 Modules
| |||||||||||||||
460 | "C:\Users\admin\Desktop\PANDAFREEAV.exe" | C:\Users\admin\Desktop\PANDAFREEAV.exe | Explorer.EXE | ||||||||||||
User: admin Company: Panda Security, S.L. Integrity Level: HIGH Description: Panda Security SFX Version: 15.14.5.0 Modules
| |||||||||||||||
3652 | ".\Stub.exe" /c "181176" /u "http://acs.pandasoftware.com/Panda/FREEAV/181176/FREEAV.exe" /a "AFPZP1016" /p "4252" | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\Stub.exe | PANDAFREEAV.exe | ||||||||||||
User: admin Company: Panda Security, S.L. Integrity Level: HIGH Version: 5.0.38.3 Modules
| |||||||||||||||
3076 | "C:\Users\admin\AppData\Local\Temp\{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe" | C:\Users\admin\AppData\Local\Temp\{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe | Stub.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.6 Setup Version: 4.6.00081.00 Modules
| |||||||||||||||
2368 | C:\39adf1b9158926f1f694\\Setup.exe /x86 /x64 /web | C:\39adf1b9158926f1f694\Setup.exe | {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setup Installer Version: 14.0.0081.0 built by: NETFXREL2 Modules
| |||||||||||||||
832 | SetupUtility.exe /aupause | C:\39adf1b9158926f1f694\SetupUtility.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.0.0081.0 built by: NETFXREL2 Modules
| |||||||||||||||
2324 | SetupUtility.exe /screboot | C:\39adf1b9158926f1f694\SetupUtility.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.0.0081.0 built by: NETFXREL2 Modules
| |||||||||||||||
2684 | TMP766B.tmp.exe /Q /X:C:\39adf1b9158926f1f694\TMP766B.tmp.exe.tmp | C:\39adf1b9158926f1f694\TMP766B.tmp.exe | Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.6 Setup Exit code: 0 Version: 4.6.00081.00 Modules
|
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\PANDAFREEAV.exe.7z | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2732.15823\PANDAFREEAV.exe | executable | |
MD5:459AD089E2FE8FB886DCD22F641B75EA | SHA256:7B24813FEA6F9B2CFB91A5AEB8F400B397E769D82BF577A9EEFBDD6E794EA4CF | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\background.png | image | |
MD5:66F91F2B36927E1B51344BDA4B373B04 | SHA256:DAE5E3F303D3CAB68A7D920F081923BF89DD8FD1C58621C6BC3CAD8B880F1494 | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_bra.png | image | |
MD5:A48F4CA1316F2CE5829A13A6E473FF6B | SHA256:A0A3B6ECD55B9F6D5CCCD0F8CEAEC0385390E2405A7267DA1970CD51BD68EDBD | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\final_img.png | image | |
MD5:30595BC50C0660181E78FCC5CE594EC9 | SHA256:3E20967850F3604DA98B070C8A82FD161B454E9B974B67503B04B04A39E254A1 | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\cancel.png | image | |
MD5:DC86C6898184A6335C26F7830A67B6B0 | SHA256:BB138DA55A6362AFC4851C30C23BE279B08B1FFA2B4D3170A715C7571C46E5C1 | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_chi_sim.png | image | |
MD5:C7B6F609A1474B0CB8CF0FAF50A2285E | SHA256:1641E037E4E7C91270E4DC6359CE1D00E8A2B6BB31D143D764E221BDE5D02168 | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_fre.png | image | |
MD5:B0C548A5529E5BB1C3AD451482547783 | SHA256:B819B6C483A3FF99CBF670008279EF15F7E718A376963AC8A092F3DDB88046AF | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\ico_ven_cancel.png | image | |
MD5:D3D94C8ACB4CE42424526DA2DCF5DF39 | SHA256:4E67660226A201929A6CF6D75CBA7681FA278D30541D412458768FF785EA886B | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_bul.png | image | |
MD5:6BE345E9B3C61C4ABAFEEAEE15BB6DC6 | SHA256:5E6E8C18F239E740A842A167289C48D5DD8A72CBFB0519C83FA5AF7FBD61FC7D | |||
460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\avDetect.dat | gpg | |
MD5:9A17B5AC44705CC4BC3608C6232E1F16 | SHA256:4AD849F737B18084B060828C7CCA48BCF512CC2ADA2A937F5CFBAB79F1B29677 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3652 | Stub.exe | GET | 200 | 40.69.210.172:80 | http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1034&Installation_End=ERROR&Stub_Event=End&_ei=DE61434F-0189-4DAB-9CC7-9DBAB4B1F3C3&_es=1&_et=Stub&_lt=20220114210010 | IE | — | — | suspicious |
3652 | Stub.exe | GET | 200 | 40.69.210.172:80 | http://eventtrack.pandasecurity.com/track/install/details.html?ProductID=4252&Stub_Event=Start&_ei=FD8174B1-CD36-4718-9BE0-AF16DE8B9B4D&_es=1&_et=Stub&_lt=20220114210010 | IE | — | — | suspicious |
3652 | Stub.exe | GET | 302 | 92.122.255.148:80 | http://download.microsoft.com/download/1/4/A/14A6C422-0D3C-4811-A31F-5EF91A83C368/NDP46-KB3045560-Web.exe | unknown | — | — | whitelisted |
3652 | Stub.exe | GET | 200 | 40.69.210.172:80 | http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1035&Installation_End=ERROR&Stub_Event=End&_ei=CEC550F8-8E3D-4207-A21F-DB2F6AC746DB&_es=1&_et=Stub&_lt=20220114210010 | IE | — | — | suspicious |
3652 | Stub.exe | GET | 301 | 104.111.243.23:80 | http://www.pandasecurity.com/Vg5sw34C5j | NL | text | 105 b | unknown |
3652 | Stub.exe | GET | 200 | 41.63.96.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b77572da0326f97c | ZA | compressed | 4.70 Kb | whitelisted |
860 | svchost.exe | HEAD | 302 | 104.89.38.104:80 | http://go.microsoft.com/fwlink/?LinkId=528226&clcid=0x409 | NL | — | — | whitelisted |
860 | svchost.exe | HEAD | 302 | 104.89.38.104:80 | http://go.microsoft.com/fwlink/?LinkId=528231&clcid=0x409 | NL | — | — | whitelisted |
860 | svchost.exe | GET | 302 | 104.89.38.104:80 | http://go.microsoft.com/fwlink/?LinkId=528226&clcid=0x409 | NL | — | — | whitelisted |
860 | svchost.exe | GET | 302 | 104.89.38.104:80 | http://go.microsoft.com/fwlink/?LinkId=528231&clcid=0x409 | NL | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3652 | Stub.exe | 92.122.255.148:80 | download.microsoft.com | GTT Communications Inc. | — | malicious |
3652 | Stub.exe | 104.111.243.23:80 | www.pandasecurity.com | Akamai International B.V. | NL | unknown |
3652 | Stub.exe | 92.122.255.148:443 | download.microsoft.com | GTT Communications Inc. | — | malicious |
3652 | Stub.exe | 41.63.96.0:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
3652 | Stub.exe | 40.69.210.172:80 | eventtrack.pandasecurity.com | Microsoft Corporation | IE | suspicious |
3652 | Stub.exe | 2.16.107.106:80 | acs.pandasoftware.com | Akamai International B.V. | — | suspicious |
2368 | Setup.exe | 92.123.194.154:80 | crl.microsoft.com | Akamai International B.V. | — | suspicious |
3652 | Stub.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2368 | Setup.exe | 92.123.194.163:80 | crl.microsoft.com | Akamai International B.V. | — | suspicious |
Domain | IP | Reputation |
---|---|---|
acs.pandasoftware.com |
| whitelisted |
eventtrack.pandasecurity.com |
| unknown |
www.pandasecurity.com |
| unknown |
download.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
download.visualstudio.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3652 | Stub.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3652 | Stub.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |