download:

PANDAVPN.exe

Full analysis: https://app.any.run/tasks/00526958-9199-45a5-86a0-22e29d3f8975
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 28, 2018, 16:22:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

247613DA2483574ED4F4E24E46AB8B4E

SHA1:

B0F48D6A1572BDFA7DF12E3434F094792D2CC5A6

SHA256:

603B2529BC52C77D36AC055F8685EAA423EA32BCBAFE4445B296E6264070929B

SSDEEP:

49152:uarcbLsMbNZSuLZQtHGSRsfEILSl3CXJk6xGOEi5A3MP:TQbLqU+RsfEIWhyGiE6AcP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Stub.exe (PID: 3020)
      • csrss.exe (PID: 400)
      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • PSANCU.exe (PID: 1668)
      • PSANCU.exe (PID: 3172)
      • setup.exe (PID: 3176)
      • PSANHost.exe (PID: 3276)
      • PSANHost.exe (PID: 2940)
      • PSUAService.exe (PID: 2896)
      • csrss.exe (PID: 344)
      • PSUAService.exe (PID: 3776)
      • PSUAConsole.exe (PID: 2600)
      • PSUAMain.exe (PID: 2808)
      • AgentSvc.exe (PID: 2976)
      • PSUAConsole.exe (PID: 3228)
      • regsvr32.exe (PID: 3488)
      • PandaSecurityTb.exe (PID: 2628)
      • AgentSvc.exe (PID: 2052)
      • PSANCU.exe (PID: 3168)
      • PSANCU.exe (PID: 3584)
      • PSANCU.exe (PID: 3988)
      • PSUAMain.exe (PID: 1768)
      • PandaURLFiltering_setup.exe (PID: 2452)
      • Panda_URL_Filteringb.exe (PID: 3976)
      • PSANCU.exe (PID: 3560)
      • Hydra.Sdk.Windows.Service.exe (PID: 1248)
      • PSANCU.exe (PID: 3288)
      • PSUAService.exe (PID: 2480)
      • PSUAService.exe (PID: 944)
      • Hydra.Sdk.Windows.Service.exe (PID: 4044)
      • PSUAConsole.exe (PID: 3684)
      • svchost.exe (PID: 868)
      • hydra.exe (PID: 2580)
      • chrome.exe (PID: 5580)

    • Application was dropped or rewritten from another process

      • Stub.exe (PID: 3020)
      • PSANCU.exe (PID: 3172)
      • PSINAN~1.EXE (PID: 3956)
      • tracelog.exe (PID: 2908)
      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • PSANCU.exe (PID: 1668)
      • PSANHost.exe (PID: 2940)
      • PSUAService.exe (PID: 2896)
      • PSANHost.exe (PID: 3276)
      • Hydra.Sdk.Windows.Service.subinacl.exe (PID: 2824)
      • PSUAService.exe (PID: 3776)
      • PSANCU.exe (PID: 3804)
      • PSANCU.exe (PID: 2420)
      • PSUAConsole.exe (PID: 2600)
      • PSANCU.exe (PID: 3400)
      • PSUAMain.exe (PID: 2808)
      • PandaSecurityTb.exe (PID: 2628)
      • pav3wsc.exe (PID: 2728)
      • setup.exe (PID: 3176)
      • pav3wsc.exe (PID: 2768)
      • pav3wsc.exe (PID: 1572)
      • pav3wsc.exe (PID: 3056)
      • pav3wsc.exe (PID: 2404)
      • pav3wsc.exe (PID: 3544)
      • pav3wsc.exe (PID: 3220)
      • PSUAConsole.exe (PID: 3228)
      • tracelog.exe (PID: 3672)
      • tracelog.exe (PID: 2944)
      • PSINAN~1.EXE (PID: 2712)
      • AgentSvc.exe (PID: 2052)
      • AgentSvc.exe (PID: 2976)
      • PSANCU.exe (PID: 3168)
      • PSANCU.exe (PID: 3584)
      • tracelog.exe (PID: 2264)
      • PSANCU.exe (PID: 3988)
      • Panda_URL_Filteringb.exe (PID: 1736)
      • Panda_URL_Filteringb.exe (PID: 3976)
      • PSINAN~1.EXE (PID: 3544)
      • tracelog.exe (PID: 2680)
      • PandaURLFiltering_setup.exe (PID: 2452)
      • PSUAMain.exe (PID: 1768)
      • PSANCU.exe (PID: 3560)
      • pav3wsc.exe (PID: 2748)
      • Hydra.Sdk.Windows.Service.exe (PID: 1248)
      • Hydra.Sdk.Windows.Service.subinacl.exe (PID: 1800)
      • PSUAService.exe (PID: 2480)
      • PSANCU.exe (PID: 3288)
      • pav3wsc.exe (PID: 2500)
      • pav3wsc.exe (PID: 1508)
      • PSUAService.exe (PID: 944)
      • pav3wsc.exe (PID: 1360)
      • Hydra.Sdk.Windows.Service.exe (PID: 4044)
      • tracelog.exe (PID: 2416)
      • PSUAConsole.exe (PID: 3684)
      • hydra.exe (PID: 2580)

    • Changes settings of System certificates

      • setup.exe (PID: 3176)
      • PSUAService.exe (PID: 3776)
      • PSANHost.exe (PID: 3276)
      • PSUAConsole.exe (PID: 2600)
      • AgentSvc.exe (PID: 2976)

    • Loads the Task Scheduler DLL interface

      • PSANHost.exe (PID: 3276)

    • Registers / Runs the DLL via REGSVR32.EXE

      • PandaSecurityTb.exe (PID: 2628)

    • Changes the autorun value in the registry

      • PandaURLFiltering_setup.exe (PID: 2452)

    • Downloads executable files from the Internet

      • Stub.exe (PID: 3020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PANDAVPN.exe (PID: 3600)
      • MsiExec.exe (PID: 3292)
      • {57ED665D-03A8-474F-928F-B7D62D0870E7}.exe (PID: 3920)
      • msiexec.exe (PID: 1728)
      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • PSANHost.exe (PID: 3276)
      • PandaSecurityTb.exe (PID: 2628)
      • MsiExec.exe (PID: 3352)
      • MsiExec.exe (PID: 556)
      • DrvInst.exe (PID: 3268)
      • PandaURLFiltering_setup.exe (PID: 2452)
      • MsiExec.exe (PID: 1928)
      • MsiExec.exe (PID: 2152)
      • DrvInst.exe (PID: 2872)
      • DrvInst.exe (PID: 2780)
      • Hydra.Sdk.Windows.Service.exe (PID: 1248)
      • Hydra.Sdk.Windows.Service.exe (PID: 4044)

    • Creates files in the program directory

      • Stub.exe (PID: 3020)
      • tracelog.exe (PID: 2908)
      • setup.exe (PID: 3176)
      • {57ED665D-03A8-474F-928F-B7D62D0870E7}.exe (PID: 3920)
      • PSINAN~1.EXE (PID: 3956)
      • PSANCU.exe (PID: 1668)
      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • PSANHost.exe (PID: 2940)
      • PSUAService.exe (PID: 3776)
      • PSANHost.exe (PID: 3276)
      • AgentSvc.exe (PID: 2976)
      • PandaSecurityTb.exe (PID: 2628)
      • tracelog.exe (PID: 2944)
      • PSINAN~1.EXE (PID: 2712)
      • PandaURLFiltering_setup.exe (PID: 2452)
      • Panda_URL_Filteringb.exe (PID: 3976)
      • PSUAMain.exe (PID: 1768)
      • tracelog.exe (PID: 2680)
      • PSUAService.exe (PID: 944)
      • PSUAService.exe (PID: 2480)
      • hydra.exe (PID: 2580)

    • Adds / modifies Windows certificates

      • setup.exe (PID: 3176)
      • PSUAService.exe (PID: 3776)
      • PSANHost.exe (PID: 3276)
      • PSUAConsole.exe (PID: 2600)
      • AgentSvc.exe (PID: 2976)

    • Creates files in the user directory

      • PSANCU.exe (PID: 3172)
      • PandaSecurityTb.exe (PID: 2628)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 1728)
      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • PSUAService.exe (PID: 3776)
      • PSANHost.exe (PID: 3276)
      • AgentSvc.exe (PID: 2976)
      • MsiExec.exe (PID: 556)
      • PSINAN~1.EXE (PID: 2712)
      • PSANCU.exe (PID: 3168)
      • DrvInst.exe (PID: 3268)
      • PSANCU.exe (PID: 3988)
      • PSANCU.exe (PID: 3584)
      • Panda_URL_Filteringb.exe (PID: 3976)
      • DrvInst.exe (PID: 2872)
      • DrvInst.exe (PID: 2780)
      • PSUAService.exe (PID: 2480)
      • PSUAService.exe (PID: 944)
      • Hydra.Sdk.Windows.Service.exe (PID: 4044)

    • Creates files in the driver directory

      • msiexec.exe (PID: 1728)
      • PSANHost.exe (PID: 3276)
      • DrvInst.exe (PID: 3268)
      • MsiExec.exe (PID: 556)
      • DrvInst.exe (PID: 2872)
      • DrvInst.exe (PID: 2780)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 1728)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 1728)

    • Creates COM task schedule object

      • MsiExec.exe (PID: 3900)
      • PSANHost.exe (PID: 3276)
      • regsvr32.exe (PID: 3488)
      • MsiExec.exe (PID: 2152)

    • Changes IE settings (feature browser emulation)

      • MsiExec.exe (PID: 3900)
      • MsiExec.exe (PID: 556)
      • MsiExec.exe (PID: 2152)

    • Creates or modifies windows services

      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • PSANHost.exe (PID: 3276)
      • Panda_URL_Filteringb.exe (PID: 3976)
      • svchost.exe (PID: 868)
      • DrvInst.exe (PID: 2780)

    • Removes files from Windows directory

      • PSUAService.exe (PID: 3776)
      • PSANHost.exe (PID: 3276)
      • AgentSvc.exe (PID: 2976)
      • MsiExec.exe (PID: 556)
      • DrvInst.exe (PID: 3268)
      • PSANCU.exe (PID: 3168)
      • PSANCU.exe (PID: 3988)
      • PSANCU.exe (PID: 3584)
      • DrvInst.exe (PID: 2872)
      • DrvInst.exe (PID: 2780)
      • PSUAService.exe (PID: 2480)
      • PSUAService.exe (PID: 944)

    • Creates a software uninstall entry

      • PandaSecurityTb.exe (PID: 2628)
      • PandaURLFiltering_setup.exe (PID: 2452)

    • Low-level read access rights to disk partition

      • PSANHost.exe (PID: 3276)

    • Searches for installed software

      • PSUAService.exe (PID: 3776)
      • PSUAService.exe (PID: 944)
      • PSUAService.exe (PID: 2480)

    • Application launched itself

      • software_reporter_tool.exe (PID: 2240)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2620)

  • INFO

    • Dropped object may contain URL's

      • PANDAVPN.exe (PID: 3600)
      • Stub.exe (PID: 3020)
      • setup.exe (PID: 3176)
      • MsiExec.exe (PID: 3292)
      • PSANCU.exe (PID: 1668)
      • Hydra.Sdk.Windows.Service.exe (PID: 2400)
      • MsiExec.exe (PID: 3900)
      • PSUAService.exe (PID: 3776)
      • PSANHost.exe (PID: 3276)
      • MsiExec.exe (PID: 3352)
      • PandaSecurityTb.exe (PID: 2628)
      • msiexec.exe (PID: 1728)
      • MsiExec.exe (PID: 556)
      • {57ED665D-03A8-474F-928F-B7D62D0870E7}.exe (PID: 3920)
      • DrvInst.exe (PID: 3268)
      • PandaURLFiltering_setup.exe (PID: 2452)
      • DrvInst.exe (PID: 2872)
      • MsiExec.exe (PID: 2152)
      • MsiExec.exe (PID: 1928)
      • DrvInst.exe (PID: 2780)
      • PSUAMain.exe (PID: 1768)
      • chrome.exe (PID: 2492)
      • chrome.exe (PID: 2620)
      • chrome.exe (PID: 5032)
      • chrome.exe (PID: 6112)
      • Hydra.Sdk.Windows.Service.exe (PID: 4044)

    • Dropped object may contain Bitcoin addresses

      • {57ED665D-03A8-474F-928F-B7D62D0870E7}.exe (PID: 3920)
      • msiexec.exe (PID: 1728)
      • PSUAService.exe (PID: 3776)

    • Application launched itself

      • msiexec.exe (PID: 1728)
      • chrome.exe (PID: 2620)

    • Creates files in the program directory

      • MsiExec.exe (PID: 3292)
      • msiexec.exe (PID: 1728)
      • MsiExec.exe (PID: 3900)
      • MsiExec.exe (PID: 3352)
      • MsiExec.exe (PID: 556)
      • MsiExec.exe (PID: 1928)

    • Reads settings of System Certificates

      • MsiExec.exe (PID: 3292)
      • PSANHost.exe (PID: 3276)
      • chrome.exe (PID: 2620)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3900)
      • MsiExec.exe (PID: 3292)
      • MsiExec.exe (PID: 3352)
      • MsiExec.exe (PID: 556)
      • msiexec.exe (PID: 1728)
      • MsiExec.exe (PID: 1928)
      • MsiExec.exe (PID: 2152)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1728)
      • MsiExec.exe (PID: 2152)

    • Creates or modifies windows services

      • msiexec.exe (PID: 1728)
      • MsiExec.exe (PID: 556)

    • Loads the Task Scheduler COM API

      • software_reporter_tool.exe (PID: 2240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:01:26 12:52:53+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 130048
InitializedDataSize: 412160
UninitializedDataSize: -
EntryPoint: 0x19702
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 15.14.4.0
ProductVersionNumber: 15.14.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Panda Security, S.L.
FileDescription: Panda Security SFX
FileVersion: 15.14.4.0
InternalName: 7zS.sfx
LegalCopyright: © Panda 2018
OriginalFileName: 7zS.sfx.exe
ProductName: Panda Security SelfExtrator
ProductVersion: 15.14

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Jan-2018 11:52:53
Detected languages:
  • English - United States
CompanyName: Panda Security, S.L.
FileDescription: Panda Security SFX
FileVersion: 15.14.4.0
InternalName: 7zS.sfx
LegalCopyright: © Panda 2018
OriginalFilename: 7zS.sfx.exe
ProductName: Panda Security SelfExtrator
ProductVersion: 15.14

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 26-Jan-2018 11:52:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001FB61
0x0001FC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62364
.rdata
0x00021000
0x000076B6
0x00007800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.65215
.data
0x00029000
0x000045A4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.98703
.rsrc
0x0002E000
0x0005B85C
0x0005BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.15995

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.21494
1429
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.0562
270376
Latin 1 / Western European
English - United States
RT_ICON
3
4.13168
67624
Latin 1 / Western European
English - United States
RT_ICON
4
4.2724
16936
Latin 1 / Western European
English - United States
RT_ICON
5
4.45804
9640
Latin 1 / Western European
English - United States
RT_ICON
6
4.64935
4264
Latin 1 / Western European
English - United States
RT_ICON
7
5.0678
1128
Latin 1 / Western European
English - United States
RT_ICON
97
3.04857
184
Latin 1 / Western European
English - United States
RT_DIALOG
188
2.17822
84
Latin 1 / Western European
English - United States
RT_STRING
207
1.43775
52
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
95
Malicious processes
38
Suspicious processes
7

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start pandavpn.exe stub.exe {57ed665d-03a8-474f-928f-b7d62d0870e7}.exe setup.exe tracelog.exe no specs psancu.exe no specs msiexec.exe msiexec.exe psinan~1.exe no specs msiexec.exe no specs csrss.exe no specs psancu.exe no specs hydra.sdk.windows.service.exe hydra.sdk.windows.service.subinacl.exe psanhost.exe no specs csrss.exe no specs psuaservice.exe no specs psanhost.exe psuaservice.exe psancu.exe no specs psancu.exe no specs psancu.exe psuaconsole.exe psuamain.exe no specs pav3wsc.exe no specs pandasecuritytb.exe msiexec.exe regsvr32.exe no specs msiexec.exe no specs agentsvc.exe no specs agentsvc.exe pav3wsc.exe no specs pav3wsc.exe no specs pav3wsc.exe no specs pav3wsc.exe no specs pav3wsc.exe no specs pav3wsc.exe no specs psuaconsole.exe tracelog.exe no specs msiexec.exe tracelog.exe no specs psinan~1.exe no specs psancu.exe no specs drvinst.exe psancu.exe no specs psancu.exe no specs pandaurlfiltering_setup.exe tracelog.exe no specs panda_url_filteringb.exe no specs panda_url_filteringb.exe psuamain.exe msiexec.exe tracelog.exe no specs psinan~1.exe no specs msiexec.exe psancu.exe no specs drvinst.exe drvinst.exe pav3wsc.exe no specs pav3wsc.exe no specs hydra.sdk.windows.service.exe hydra.sdk.windows.service.subinacl.exe psancu.exe no specs psuaservice.exe no specs tracelog.exe no specs pav3wsc.exe no specs pav3wsc.exe no specs psuaservice.exe hydra.sdk.windows.service.exe hydra.exe psuaconsole.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs software_reporter_tool.exe no specs chrome.exe no specs software_reporter_tool.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs svchost.exe pandavpn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
344%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\csrsrv.dll
c:\windows\system32\basesrv.dll
c:\windows\system32\winsrv.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
400%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\System32\csrss.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Client Server Runtime Process
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\csrsrv.dll
c:\windows\system32\basesrv.dll
c:\windows\system32\winsrv.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
556C:\Windows\system32\MsiExec.exe -Embedding C1F2271BE93432D05B4615578B56F391 M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
864C:\Windows\system32\MsiExec.exe -Embedding 00CC8D8481C9E996D03CB905C244B686 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
868C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
944"C:\Program Files\Panda Security\Panda Security Protection\PSUAService.exe"C:\Program Files\Panda Security\Panda Security Protection\PSUAService.exe
services.exe
User:
SYSTEM
Company:
Panda Security, S.L.
Integrity Level:
SYSTEM
Description:
PSUAService
Exit code:
0
Version:
4.0.2.1
Modules
Images
c:\program files\panda security\panda security protection\psuaservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1248"C:\Program Files\Panda Security\Panda Security Protection\Hydra.Sdk.Windows.Service.exe" -install "Panda VPN Service"C:\Program Files\Panda Security\Panda Security Protection\Hydra.Sdk.Windows.Service.exe
msiexec.exe
User:
admin
Integrity Level:
HIGH
Description:
Hydra Sdk Windows Service
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\panda security\panda security protection\hydra.sdk.windows.service.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1360 -as:m -active:true -uptodate:true -expired:falseC:\Program Files\Panda Security\Panda Security Protection\pav3wsc.exePSANHost.exe
User:
SYSTEM
Company:
Panda Security, S.L.
Integrity Level:
SYSTEM
Description:
Windows Security Center Manager
Exit code:
0
Version:
1.0.1.4
Modules
Images
c:\program files\panda security\panda security protection\pav3wsc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1508 -av:m -active:true -uptodate:true -expired:falseC:\Program Files\Panda Security\Panda Security Protection\pav3wsc.exePSANHost.exe
User:
SYSTEM
Company:
Panda Security, S.L.
Integrity Level:
SYSTEM
Description:
Windows Security Center Manager
Exit code:
0
Version:
1.0.1.4
Modules
Images
c:\program files\panda security\panda security protection\pav3wsc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1572 -av:a -avname:"Panda Dome" -path:"C:\Program Files\Panda Security\Panda Security Protection\PAV3WSC.exe" -avreport:true -wscreport:true -active:true -uptodate:true -expired:falseC:\Program Files\Panda Security\Panda Security Protection\pav3wsc.exePSANHost.exe
User:
SYSTEM
Company:
Panda Security, S.L.
Integrity Level:
SYSTEM
Description:
Windows Security Center Manager
Exit code:
0
Version:
1.0.1.4
Modules
Images
c:\program files\panda security\panda security protection\pav3wsc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
10 783
Read events
5 591
Write events
4 875
Delete events
317

Modification events

(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3020) Stub.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stub_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
868
Suspicious files
556
Text files
2 541
Unknown types
193

Dropped files

PID
Process
Filename
Type
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\res\ico_ven_cancel.pngimage
MD5:D3D94C8ACB4CE42424526DA2DCF5DF39
SHA256:4E67660226A201929A6CF6D75CBA7681FA278D30541D412458768FF785EA886B
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\res\background.pngimage
MD5:66F91F2B36927E1B51344BDA4B373B04
SHA256:DAE5E3F303D3CAB68A7D920F081923BF89DD8FD1C58621C6BC3CAD8B880F1494
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\res\cancel.pngimage
MD5:DC86C6898184A6335C26F7830A67B6B0
SHA256:BB138DA55A6362AFC4851C30C23BE279B08B1FFA2B4D3170A715C7571C46E5C1
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\avDetect.datgpg
MD5:9A17B5AC44705CC4BC3608C6232E1F16
SHA256:4AD849F737B18084B060828C7CCA48BCF512CC2ADA2A937F5CFBAB79F1B29677
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\res\atras.pngimage
MD5:6F14ADB92D1AA42AD923182993281A21
SHA256:53F1830AE5664ABA50EDB70017519DB778953A269E4178566328A5328F422CEA
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\res\final_img.pngimage
MD5:30595BC50C0660181E78FCC5CE594EC9
SHA256:3E20967850F3604DA98B070C8A82FD161B454E9B974B67503B04B04A39E254A1
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\recorte_cloud.pngimage
MD5:F037258F333D7967D5CB7672AE0DD4CA
SHA256:226928BD446DBF9542DBDE8D38367194DCCA65C18A552F4F26DAF30520E41822
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\res\StubInstaller.icoimage
MD5:B1C57C999F8A3BDEC9529ABE456EED97
SHA256:E64DF356B9E79A982DAA7C3D35DB3BF85A800D4D7F870A64C666216BDE731657
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\CommsWrapper.dllexecutable
MD5:DE835B63304969AAB279FD08FF927A8D
SHA256:A474A520C9DAC0E66678A967E9B94923FCBD084E449403399F96B1F0879CF0E6
3600PANDAVPN.exeC:\Users\admin\AppData\Local\Temp\7zS01EBE024\putczip.dllexecutable
MD5:5FBBD0AD928BB667808D1ACB1A3427D4
SHA256:B1BD0D4F04DE3290F75F68C1A4699BB25D0FFCD616152F3ADBC2610B2344CDAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
65
TCP/UDP connections
63
DNS requests
34
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3020
Stub.exe
GET
2.16.186.51:80
http://acs.pandasoftware.com/Panda/PVPN/img/Page_1_en.png
unknown
whitelisted
3020
Stub.exe
GET
200
137.135.129.175:80
http://eventtrack.pandasecurity.com/track/install/details.html?ProductID=4252&Stub_Event=Start&_ei=BCBE736C-BA62-40A0-AFE9-652DC706C2B7&_es=1&_et=Stub&_lt=20180528162315
IE
whitelisted
3176
setup.exe
GET
304
2.16.186.81:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
whitelisted
3176
setup.exe
GET
304
2.16.186.81:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
whitelisted
3292
MsiExec.exe
GET
304
2.16.186.81:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
whitelisted
3276
PSANHost.exe
GET
200
137.135.129.175:80
http://eventtrack.pandasecurity.com/track/install/details.html?Result=0&_ei=25B6A93C-A4EE-498C-BFD1-99CEF0A21284&_es=1&_et=ProductInstallation&_lt=20180528162517
IE
whitelisted
3020
Stub.exe
GET
200
2.16.186.51:80
http://acs.pandasoftware.com/Panda/FREEAV/190613/FREEAV.exe
unknown
executable
61.4 Mb
whitelisted
3292
MsiExec.exe
GET
304
2.16.186.81:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
whitelisted
2400
Hydra.Sdk.Windows.Service.exe
GET
200
8.248.141.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
52.4 Kb
whitelisted
2400
Hydra.Sdk.Windows.Service.exe
GET
200
23.37.43.27:80
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
NL
der
1.71 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3020
Stub.exe
2.16.186.51:80
acs.pandasoftware.com
Akamai International B.V.
whitelisted
3020
Stub.exe
137.135.129.175:80
eventtrack.pandasecurity.com
Microsoft Corporation
IE
whitelisted
3176
setup.exe
2.16.186.81:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
3292
MsiExec.exe
2.16.186.81:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
2400
Hydra.Sdk.Windows.Service.exe
8.248.141.254:80
www.download.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2400
Hydra.Sdk.Windows.Service.exe
23.37.43.27:80
s2.symcb.com
Akamai Technologies, Inc.
NL
whitelisted
3276
PSANHost.exe
137.135.129.175:80
eventtrack.pandasecurity.com
Microsoft Corporation
IE
whitelisted
3276
PSANHost.exe
2.16.186.82:80
proinfo.pandasoftware.com
Akamai International B.V.
whitelisted
2628
PandaSecurityTb.exe
34.229.17.164:80
geoip.vmn.net
Amazon.com, Inc.
US
unknown
2600
PSUAConsole.exe
216.58.207.78:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
eventtrack.pandasecurity.com
  • 137.135.129.175
unknown
acs.pandasoftware.com
  • 2.16.186.51
  • 2.16.186.73
whitelisted
www.download.windowsupdate.com
  • 2.16.186.81
  • 2.16.186.56
  • 8.248.141.254
  • 67.26.75.254
  • 8.249.209.254
  • 8.248.7.254
  • 8.248.1.254
whitelisted
s2.symcb.com
  • 23.37.43.27
whitelisted
sv.symcd.com
  • 23.37.43.27
shared
proinfo.pandasoftware.com
  • 2.16.186.82
  • 2.16.186.73
whitelisted
geoip.vmn.net
  • 34.229.17.164
malicious
www.google-analytics.com
  • 216.58.214.78
  • 216.58.207.78
whitelisted
pandasecuritytb.applicationstat.com
  • 66.115.130.30
suspicious
cmg-kw.pandasecurity.com
  • 91.216.218.220
unknown

Threats

PID
Process
Class
Message
3020
Stub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2628
PandaSecurityTb.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)
2628
PandaSecurityTb.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
2452
PandaURLFiltering_setup.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PANDAVPN.exe