File name:

PANDAFREEAV.exe.7z

Full analysis: https://app.any.run/tasks/2a52a337-4164-474a-ae42-ad898cb3b923
Verdict: Malicious activity
Analysis date: January 14, 2022, 20:59:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

EE2D971CECF7C7C5B94B1DB04F324007

SHA1:

7BA348194261A903938E15265B0F73C579123E0D

SHA256:

4CFBFC663343D9B814D3F34142D9732B70508FDF82C1AE15D927A13840EF0AD1

SSDEEP:

49152:bsNAb4fijC72sqTRBFrshjHk1gb/sCTB4ouI/YEeifx6Ekm1:qfi2SFTRBFIhOC14e/6tEt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PANDAFREEAV.exe (PID: 460)
      • PANDAFREEAV.exe (PID: 1324)
      • Stub.exe (PID: 3652)
      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
      • Setup.exe (PID: 2368)
      • SetupUtility.exe (PID: 832)
      • SetupUtility.exe (PID: 2324)
    • Loads dropped or rewritten executable

      • Stub.exe (PID: 3652)
      • Setup.exe (PID: 2368)
    • Drops executable file immediately after starts

      • PANDAFREEAV.exe (PID: 460)
      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
    • Actions looks like stealing of personal data

      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
    • Changes settings of System certificates

      • Setup.exe (PID: 2368)
  • SUSPICIOUS

    • Checks supported languages

      • PANDAFREEAV.exe (PID: 460)
      • WinRAR.exe (PID: 2732)
      • Stub.exe (PID: 3652)
      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
      • Setup.exe (PID: 2368)
      • SetupUtility.exe (PID: 832)
      • SetupUtility.exe (PID: 2324)
      • TMP766B.tmp.exe (PID: 2684)
    • Reads the computer name

      • WinRAR.exe (PID: 2732)
      • Stub.exe (PID: 3652)
      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
      • Setup.exe (PID: 2368)
      • SetupUtility.exe (PID: 832)
      • TMP766B.tmp.exe (PID: 2684)
      • SetupUtility.exe (PID: 2324)
    • Reads Environment values

      • PANDAFREEAV.exe (PID: 460)
      • Setup.exe (PID: 2368)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2732)
      • PANDAFREEAV.exe (PID: 460)
      • Stub.exe (PID: 3652)
      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
      • TMP766B.tmp.exe (PID: 2684)
      • Setup.exe (PID: 2368)
    • Drops a file that was compiled in debug mode

      • PANDAFREEAV.exe (PID: 460)
      • Stub.exe (PID: 3652)
      • {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
    • Creates files in the program directory

      • Stub.exe (PID: 3652)
    • Reads CPU info

      • Setup.exe (PID: 2368)
  • INFO

    • Reads settings of System Certificates

      • Stub.exe (PID: 3652)
      • Setup.exe (PID: 2368)
    • Manual execution by user

      • PANDAFREEAV.exe (PID: 1324)
      • PANDAFREEAV.exe (PID: 460)
    • Checks Windows Trust Settings

      • Stub.exe (PID: 3652)
      • Setup.exe (PID: 2368)
    • Dropped object may contain Bitcoin addresses

      • SetupUtility.exe (PID: 832)
      • Setup.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe pandafreeav.exe no specs pandafreeav.exe stub.exe {e6381693-c0f2-419c-80d1-de353cb06f20}.exe setup.exe setuputility.exe no specs setuputility.exe no specs tmp766b.tmp.exe

Process information

PID
CMD
Path
Indicators
Parent process
2732"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PANDAFREEAV.exe.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\program files\winrar\7zxa.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
1324"C:\Users\admin\Desktop\PANDAFREEAV.exe" C:\Users\admin\Desktop\PANDAFREEAV.exeExplorer.EXE
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
MEDIUM
Description:
Panda Security SFX
Exit code:
3221226540
Version:
15.14.5.0
Modules
Images
c:\users\admin\desktop\pandafreeav.exe
c:\windows\system32\ntdll.dll
460"C:\Users\admin\Desktop\PANDAFREEAV.exe" C:\Users\admin\Desktop\PANDAFREEAV.exe
Explorer.EXE
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
HIGH
Description:
Panda Security SFX
Version:
15.14.5.0
Modules
Images
c:\users\admin\desktop\pandafreeav.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\apphelp.dll
3652".\Stub.exe" /c "181176" /u "http://acs.pandasoftware.com/Panda/FREEAV/181176/FREEAV.exe" /a "AFPZP1016" /p "4252"C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\Stub.exe
PANDAFREEAV.exe
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
HIGH
Version:
5.0.38.3
Modules
Images
c:\users\admin\appdata\local\temp\7zscc1eca71\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\setupapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\7zscc1eca71\commswrapper.dll
c:\users\admin\appdata\local\temp\7zscc1eca71\msvcr100.dll
c:\users\admin\appdata\local\temp\7zscc1eca71\msvcp100.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\7zscc1eca71\splash.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
3076"C:\Users\admin\AppData\Local\Temp\{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe" C:\Users\admin\AppData\Local\Temp\{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe
Stub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.6 Setup
Version:
4.6.00081.00
Modules
Images
c:\users\admin\appdata\local\temp\{e6381693-c0f2-419c-80d1-de353cb06f20}.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\feclient.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\apphelp.dll
2368C:\39adf1b9158926f1f694\\Setup.exe /x86 /x64 /webC:\39adf1b9158926f1f694\Setup.exe
{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Version:
14.0.0081.0 built by: NETFXREL2
Modules
Images
c:\39adf1b9158926f1f694\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\39adf1b9158926f1f694\setupengine.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\39adf1b9158926f1f694\sqmapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wkscli.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\39adf1b9158926f1f694\setupui.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msxml6.dll
c:\39adf1b9158926f1f694\1033\setupresources.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wups.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wu.upgrade.ps.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorlib.dll
c:\windows\system32\riched20.dll
c:\windows\system32\msls31.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\netfxperf.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\39adf1b9158926f1f694\setuputility.exe
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\bitsprx2.dll
c:\39adf1b9158926f1f694\tmp766b.tmp.exe
c:\windows\system32\propsys.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\mssprxy.dll
832SetupUtility.exe /aupauseC:\39adf1b9158926f1f694\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.0.0081.0 built by: NETFXREL2
Modules
Images
c:\39adf1b9158926f1f694\setuputility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wups.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
2324SetupUtility.exe /screbootC:\39adf1b9158926f1f694\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.0.0081.0 built by: NETFXREL2
Modules
Images
c:\39adf1b9158926f1f694\setuputility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msctf.dll
2684TMP766B.tmp.exe /Q /X:C:\39adf1b9158926f1f694\TMP766B.tmp.exe.tmpC:\39adf1b9158926f1f694\TMP766B.tmp.exe
Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.6 Setup
Exit code:
0
Version:
4.6.00081.00
Modules
Images
c:\39adf1b9158926f1f694\tmp766b.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
Total events
11 425
Read events
11 360
Write events
65
Delete events
0

Modification events

(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2732) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\PANDAFREEAV.exe.7z
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2732) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
41
Suspicious files
8
Text files
114
Unknown types
8

Dropped files

PID
Process
Filename
Type
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\recorte_cloud.pngimage
MD5:F037258F333D7967D5CB7672AE0DD4CA
SHA256:226928BD446DBF9542DBDE8D38367194DCCA65C18A552F4F26DAF30520E41822
2732WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2732.15823\PANDAFREEAV.exeexecutable
MD5:459AD089E2FE8FB886DCD22F641B75EA
SHA256:7B24813FEA6F9B2CFB91A5AEB8F400B397E769D82BF577A9EEFBDD6E794EA4CF
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\atras.pngimage
MD5:6F14ADB92D1AA42AD923182993281A21
SHA256:53F1830AE5664ABA50EDB70017519DB778953A269E4178566328A5328F422CEA
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\ico_ven_cancel.pngimage
MD5:D3D94C8ACB4CE42424526DA2DCF5DF39
SHA256:4E67660226A201929A6CF6D75CBA7681FA278D30541D412458768FF785EA886B
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\avDetect.datgpg
MD5:9A17B5AC44705CC4BC3608C6232E1F16
SHA256:4AD849F737B18084B060828C7CCA48BCF512CC2ADA2A937F5CFBAB79F1B29677
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\cancel.pngimage
MD5:DC86C6898184A6335C26F7830A67B6B0
SHA256:BB138DA55A6362AFC4851C30C23BE279B08B1FFA2B4D3170A715C7571C46E5C1
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\img_product1.pngimage
MD5:1714652A08968AAB7E4CCC1801E0050F
SHA256:EF693F45D5CFBE30A3F4F0081DAED414390B412DE0946CD45C14B9B218868390
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\img_product2.pngimage
MD5:FD92546FC781EFEF844196C15E45F570
SHA256:99466F827368EF2FE2783E0112B683FDB29973055BEA1D88B30462918D776993
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_bul.pngimage
MD5:6BE345E9B3C61C4ABAFEEAEE15BB6DC6
SHA256:5E6E8C18F239E740A842A167289C48D5DD8A72CBFB0519C83FA5AF7FBD61FC7D
460PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_chi_sim.pngimage
MD5:C7B6F609A1474B0CB8CF0FAF50A2285E
SHA256:1641E037E4E7C91270E4DC6359CE1D00E8A2B6BB31D143D764E221BDE5D02168
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
15
DNS requests
17
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3652
Stub.exe
GET
200
2.16.107.106:80
http://acs.pandasoftware.com/Panda/FREEAV/Promo_pd/FREEAV_INST.txt
unknown
text
175 b
whitelisted
3652
Stub.exe
GET
200
2.16.107.106:80
http://acs.pandasoftware.com/Panda/FREEAV/Promo_pd/FREEAV_INST.txt
unknown
text
175 b
whitelisted
3652
Stub.exe
GET
200
40.69.210.172:80
http://eventtrack.pandasecurity.com/track/install/details.html?ProductID=4252&Stub_Event=Start&_ei=FD8174B1-CD36-4718-9BE0-AF16DE8B9B4D&_es=1&_et=Stub&_lt=20220114210010
IE
suspicious
3652
Stub.exe
GET
200
40.69.210.172:80
http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1034&Installation_End=ERROR&Stub_Event=End&_ei=DE61434F-0189-4DAB-9CC7-9DBAB4B1F3C3&_es=1&_et=Stub&_lt=20220114210010
IE
suspicious
3652
Stub.exe
GET
200
40.69.210.172:80
http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1035&Installation_End=ERROR&Stub_Event=End&_ei=CEC550F8-8E3D-4207-A21F-DB2F6AC746DB&_es=1&_et=Stub&_lt=20220114210010
IE
suspicious
3652
Stub.exe
GET
301
104.111.243.23:80
http://www.pandasecurity.com/Vg5sw34C5j
NL
text
105 b
unknown
3652
Stub.exe
GET
302
92.122.255.148:80
http://download.microsoft.com/download/1/4/A/14A6C422-0D3C-4811-A31F-5EF91A83C368/NDP46-KB3045560-Web.exe
unknown
whitelisted
3652
Stub.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
shared
3652
Stub.exe
GET
200
41.63.96.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b77572da0326f97c
ZA
compressed
4.70 Kb
whitelisted
2368
Setup.exe
GET
200
92.123.194.163:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
der
519 b
whitelisted
860
svchost.exe
HEAD
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=249117&clcid=0x409
NL
whitelisted
860
svchost.exe
GET
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=249117&clcid=0x409
NL
whitelisted
2368
Setup.exe
GET
200
92.123.194.154:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
767 b
whitelisted
860
svchost.exe
HEAD
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=528231&clcid=0x409
NL
whitelisted
860
svchost.exe
GET
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=528231&clcid=0x409
NL
whitelisted
2368
Setup.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
US
der
1.05 Kb
whitelisted
2368
Setup.exe
GET
200
92.123.194.163:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
der
1.11 Kb
whitelisted
860
svchost.exe
HEAD
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=528226&clcid=0x409
NL
whitelisted
860
svchost.exe
GET
302
104.89.38.104:80
http://go.microsoft.com/fwlink/?LinkId=528226&clcid=0x409
NL
whitelisted
2368
Setup.exe
GET
200
92.123.194.154:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
der
824 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3652
Stub.exe
104.111.243.23:80
www.pandasecurity.com
Akamai International B.V.
NL
unknown
3652
Stub.exe
92.122.255.148:443
download.microsoft.com
GTT Communications Inc.
malicious
3652
Stub.exe
40.69.210.172:80
eventtrack.pandasecurity.com
Microsoft Corporation
IE
suspicious
3652
Stub.exe
92.122.255.148:80
download.microsoft.com
GTT Communications Inc.
malicious
3652
Stub.exe
2.16.107.106:80
acs.pandasoftware.com
Akamai International B.V.
suspicious
3652
Stub.exe
41.63.96.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
ZA
suspicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
860
svchost.exe
104.89.38.104:80
go.microsoft.com
Akamai Technologies, Inc.
NL
malicious
860
svchost.exe
104.102.28.147:443
download.microsoft.com
Akamai Technologies, Inc.
US
suspicious
3652
Stub.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2368
Setup.exe
92.123.194.154:80
crl.microsoft.com
Akamai International B.V.
suspicious
2368
Setup.exe
92.123.194.163:80
crl.microsoft.com
Akamai International B.V.
suspicious
2368
Setup.exe
104.85.1.163:80
www.microsoft.com
Time Warner Cable Internet LLC
US
suspicious

DNS requests

Domain
IP
Reputation
acs.pandasoftware.com
  • 2.16.107.106
  • 2.16.107.33
whitelisted
eventtrack.pandasecurity.com
  • 40.69.210.172
unknown
www.pandasecurity.com
  • 104.111.243.23
unknown
download.microsoft.com
  • 92.122.255.148
  • 104.102.28.147
whitelisted
ctldl.windowsupdate.com
  • 41.63.96.0
  • 41.63.96.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
shared
crl3.digicert.com
  • 93.184.220.29
shared
crl.microsoft.com
  • 92.123.194.163
  • 92.123.194.154
  • 92.123.194.162
whitelisted
go.microsoft.com
  • 104.89.38.104
whitelisted
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted

Threats

PID
Process
Class
Message
3652
Stub.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
3652
Stub.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
No debug info