File name:

2017-11-16-Zeus-Panda-Banker.exe

Full analysis: https://app.any.run/tasks/56412118-a960-47f9-adc4-382038050bf6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 06, 2025, 04:13:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

EA69F211D3EF4B51FD00330DE8FE03CE

SHA1:

85E854BE529AF09EA71537CC59FAF52C34F58B73

SHA256:

73381DDDC426B49BAA445378853C761F411A5FE65B7DA736B91979645E5C703F

SSDEEP:

6144:eOv1MANhGY+W7jpSO8D/SHUO4G8ZM8P3lsORAbXUwT1Ypn44GeifWi6E9QHiGwfm:eOv+UhGYPjpSO8Duz4G8ZM8PlsORAbEr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • svchost.exe (PID: 1296)

    • Actions looks like stealing of personal data

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

    • Executable content was dropped or overwritten

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

    • Starts itself from another location

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

    • Starts CMD.EXE for commands execution

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

    • Executing commands from a ".bat" file

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

  • INFO

    • Checks supported languages

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)
      • overrideMap.exe (PID: 4136)

    • Reads the computer name

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)
      • overrideMap.exe (PID: 4136)

    • Reads the machine GUID from the registry

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)
      • overrideMap.exe (PID: 4136)

    • Sends debugging messages

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)
      • overrideMap.exe (PID: 4136)

    • Creates files or folders in the user directory

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

    • Create files in a temporary directory

      • 2017-11-16-Zeus-Panda-Banker.exe (PID: 4300)

    • Checks proxy server information

      • svchost.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 1296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Clipper DOS Executable (19.1)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:14 14:37:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 116224
InitializedDataSize: 52224
UninitializedDataSize: -
EntryPoint: 0x137d3
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.1783.0
ProductVersionNumber: 2.0.1783.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Logitech, Inc.
FileVersion: 2.00.1783.0.1000
LegalCopyright: © Logitech Inc.
LegalTrademarks: © Logitech is a trademark of Logitech Inc.
OriginalFileName: LWS_Uninstaller.exe
ProductName: LWS 2.00.1783.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2017-11-16-zeus-panda-banker.exe overridemap.exe cmd.exe no specs conhost.exe no specs svchost.exe svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1296C:\WINDOWS\SysWOW64\svchost.exe -k netsvcsC:\Windows\SysWOW64\svchost.exe
overrideMap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
2800C:\WINDOWS\SysWOW64\svchost.exe -k netsvcsC:\Windows\SysWOW64\svchost.exeoverrideMap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
4136"C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\overrideMap.exe"C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\overrideMap.exe
2017-11-16-Zeus-Panda-Banker.exe
User:
admin
Company:
Logitech, Inc.
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.00.1783.0.1000
Modules
Images
c:\users\admin\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\overridemap.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4300"C:\Users\admin\Downloads\2017-11-16-Zeus-Panda-Banker.exe" C:\Users\admin\Downloads\2017-11-16-Zeus-Panda-Banker.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\2017-11-16-zeus-panda-banker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5400"C:\WINDOWS\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\upd52000765.bat"C:\Windows\SysWOW64\cmd.exe2017-11-16-Zeus-Panda-Banker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
753
Read events
746
Write events
7
Delete events
0

Modification events

(PID) Process:(1296) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MobilePC
Operation:writeName:Eburquosd
Value:
27CF273ED3737FEEB5DB41F77BCFDE179C54BC22FBBB8C26994CFD7F1E206042544395FC847ADA590119114B9DACE3FDE88CACDAEA62196903B83018D5A555526B648584EFDA51D3F4E52F32DBDD6E458A1FFE79A0426EB98320394842F45204856A617F9D455243A0B0E5892CEC43AF81DCE15F9E70EA18D0CF2C1E8F245450078C2F93862D0C19FE1DB5DEF3BDE5B3C66AD7EF475E070F5C8337AC4E2849B545B1CA8D482594BD286C91EBABE5C2BF348F2846FB52481A7202659387247AC28C7F67A58B3FD1BFD210BCAA2E6DC3FE884BA8469386064130B028114E6E4733C8F0527BCC736D6B516294932B510BC3B102A16C6668B093168E78ED5937F3EDAAB603DBA7BEFA728678C91F7148D001969E1C0F9B187A788BA286570214DB487DCCC897BE4CDFFCB89AF214E1D224F2A9B6B8BF12A59192A7C07C2C005300F8E99DDD129A4E7E0219E705707AFD123D1C42CFB7DC07E21AD2F3C26AA62A8E22B76D8EA03FF3D8F9FDA9B374E389B0B6E9AFDFC6E9614FE4A2B78EEEFD5D562087DA84B8D31FE1D76F25C67B3DA49E2684BD46CC7CE23CA07EA7395A40A22963DC93D5DE4CA448A5C0717AED13B420C7EA344C2CEBB503ED27FBEA26A0623BC5560E7DC1111A069AE13B02F49A46867CD1397A2498F272EE5E9323B5111358DA64232DA2F41B6A6079E064BE9D49601A51026691F8490A6D4BE82A43AA0C5AEBB0FB362953B338DB7142A533540D6836135D73ECECE335435AAB3B5B3754D1B5513EF58EF28988E7E0555F6BBC0A24B78B048B56DE093932D07E3A2DC266BBD114A513AB54CC3F820AC65B510A956E662E00AE2C94AD0290D8AF544AAFAFD806FCFB0C77A9FCCD12942BA63DD3B98A250B188717715EAAD1601807FA0295645EDB91D1FD33A2B188564F04146ADD68AE5014584B62E96FDC2C73BDD036E544270CD4CE95AFF6DEF77F25DA2397218682FC73DBDEB6D4DB54085F84D0A386A733CD1508A45885A835753F4CD6050EB015DF0006778700F838F457DEB74B7963960FE8EB70684816FDF8C83C012242B6EC233B6947AF879C825D94CAA676E85AE14C6CBEF4CB9DBCC9E63E5A08F0C8CEE7A3FC19F5F83D8F9DDE84268F019C429C1BF85EFE0759BBBCA84113E242F0C4DEF1374140BC6D712FBED99C7AB5402989083B4F71463212FB665F3CD4968F4DBD0B4429FCFEBA2DD09537A2A05F44732F338AE34064BCFD30059264556B0BB8CC05DCA02726D51BD7B2B4B042EDF155414758E8848D5FB5BA0527359E38811A792ECB687A1A41AEE295B1CAE859C86E6FBDBF096D5400CFBCB54F0716236C79D2631F0005CB814479266AD34D1CE34AC248C517865C8CF2ABF19D0BA97DF6F830E9A84AAB5243C38105ED755E16A1F3757D8CAB1336A19ABBF6623CE1EAAE14106C229EB32DBB8CD4EFCAF46B27D701DB353C6BBF7DE6635ACE141DBB76BA2C8E313E6E3702FE99ECC5540DC840F2147C97439D0F1DFF121CA2BE379760A2999AB4AF7254E4C2C2D26631802E26E381EA5D133CBDF49923BC18434389E03400F7496304A51F29D166340D7B73AB55043FF16CBB57EA3104D3FDCC5E57511C5A0B0DBA88733BB549605274F5DA7A594B4256947872EAA321602ABADA10823CD4728A9C52F65B328B5DC98749FBCB28F8C06A6820F3D9DA44001F59F98F145180BE7AE1F2E95F31C9B61BC9B2EC6CD33B3DBAFB569E82948091A3DA810884C3E6FAA4D5227C54212F495D6BF002E0D07993F6A10F4F7EDCE35F1D75902B489D453701B7BA87F4C77C4DCFC2BA7453AC1A31CB73DC28CB3F9EA259E7ED855E7E7AC5F0F543180662753BDF85D84C9AB8B0C93C71F4CE4B68C7DD2D313E9E4623B11580DB12BC2204AA0B7EBFDA161BB0B744F36CF8A954A52B5A41455B7B7749699E7559523F2EFA26A8EAE4E15365F6AA2CD3E87E9ECBE24F042919743E2E143AB105B72CDFD95355E384A07E8171391D83D89FDF55E51FB3BA49F7CD98ED3F0F57761771AC34511B95C806619D20BC5A9FBA6DF56E9F54287CCF9E0BD4A52A1AEEAF266E4F2A8DF11496E1C3818041F12A00B298AE17DB70224031D359D11B71D07872A190C6F6F612BF7E75D76B09CA6E2EF244A7A74C3D31AE5CF372E371558EC2C1DAB8358172297A54DF264BC04670D422F51F3492FDE903781F846EABEB345282B5E05BB7A960E5C327E15A6DF8A1A54FD46B6280A461977F7795DBB37B402A7FD2CC63D3A41A1A74B5D14DDC75A0D302743201F504EBDD2D6BE9FA554BEB94DEC12E662683EFC0AF9E10D534619EB76A5868F976EA76EDB23FBB83F4FA2BDE4BBC0285B99F487539FC09DDF80379E1C87E958E8111C98200ABCCC432B45E0CA59FE14E5C373E2587EC16BD96DC5AE1F7780A145FE54D7D9ACCB8DE46B077AB3F03C596D203314391C95FAFA7BDEF163641C77CC9CB3475681920B313A55F03741DA96BB1EF9F7777703B71F5EA315FDF6EA9E92ED9F79F16587BB3CB2D4E
(PID) Process:(1296) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:overrideMap.exe
Value:
"C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\overrideMap.exe"
(PID) Process:(2800) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MobilePC
Operation:writeName:Eburquosd
Value:
B50270BA6E102043E69672D827D2E46214DD6FD1EF35EAB7B22D52F35E1A673B699784C58876536C54C2EA356BEA905E1CA76443640EB14D2B0E74BC03308643F22D71C189662AFA1533796CB8E4E9327954898ACE4EE77CAA0EC501C2BDF2292622A78F83DFF720E1D971105FCE32E076AD3A10C377DB184E2C1812E6038A7D84A39491F4C78BA1C0FF12F9DDA32F02064B0F1FAA9117F0D6C65B27FD1C7E383410B3DC49D94732E14A76FBCCDBA881C93239A5DF2637E05C5BA22755DB7B4A861090D30393C62B23A90ADD418D7616E02436CA5C027794DF0A5BA9E4908C9989D5FB231C61FA6DD4C2F8DD04A61D6A7DB54C714FF1228688A4D0377AB9AC77862D0F4890B84E3036A1DE231A5C0BE22A0982617525CDF97489AA5147A287F466DC3B32166613C986E8ED693EF381545D62953911E4DB9408F52FB7D9D2FB43D6AA398D793D04C377DD0DE46EEF9CB230A90EB84DC0C46F2075C0C15CAEFEC67C8C68B6F77EF2B4EBBA5C447C66F6B6E6FB0A3CE63ED261AB16BFD82566EAAFF5403471A8521A4FC1B09C7B1B518C76A3A045A29AF1802E4EC3B1BA8EC104B0369E81826FC3240CD9F4FF925070B138038AFE07E38DE8285DC44406D6E59EB1C50ED156F35027263D71266D037C75EC49628473DBEA232E6BFDFEF593D658F08A1F23B372C7D263FAD2D2916430D1159A490E9851108A01E26D51DAE6FE82C3C7DB6A15B874378B3F5DEFABBA06F8A8A2CBE05D5E84F6FAF516DA4F15D12EAAA52AA3CD981836439EFD8309A1B2C8B621682EC98460B581262711D98019B83F0516D6D140737753614A745DFEBA72AC0931C56544B492ACF44AC233C08238052D1A5889DA282BA35EDA086A3609868689E7247DC5D421D6673CC38C05FB5A5EFD1A5F2B4FFB1A424B708EF452FC899AB3792B934FC2AB6FE4A462928262B56E604C813F693E63A8CDD2D0F39457C2EC07356A02B3DE8608CC4EBDDA7AFCA07C4BD525DA9E2B80D58DE92F2046B2D9239E6E3E741A8B6108DF3D2176A44BE997913325C6ABBC478BFAE4B8B5B30E5CA00AF729A18096A5EE7AD2B8893ED0BDD5D66949F526B5B1BB6E3823A58BC90E8A508687BE14EE7431150C1F67B480AB897CE5781214B9034E52C9EB819086BDB3EBA8F0E365323D98A5B7B1052C4ABC322FA429AD08DF3F1A7EB84354ABE50FF34531D41525A8E9637A5BBE80A91BAEC97CADCD57407296DD3A15BE0782EC17E0D4C588CB790891B72F0C00AA2B86A1ABB0EC8789E400C10D4067323BE147312C8139B5270D04410BFE1F884B79BC064D782C23A5D657493E6B4C67E080D65AB6375E84E377ACC6E682AE8C073DC9E556652B1ADAB82E16C36884DB51F0BAF62DA5A050042F645A45DAA3032AC166DF69FF3FB36D3457933A27162BB422536D8ECECEA97A7C993093B0A37D73E44F7F59F45AC9C6111184F6CD766E38608F67FCB8137CA2225B8679A657F0E4E5A3D1F45C7ED70EC5D16DEF2145A4F8988BF3D4AA1767531F439AFD5E5E3C53C142644131254F0DAAC7392C2108CD157F555DFB87738B47A453F517D8D86AED603918DF4CBA793F5897A314B13F8F5BC59F099257DC683F7264465D3A0449C55247EB69C25F04575B4DC8E962976D44E927179E5261A4C13FE92D0F1A71E57E35C3218C051B2D6A407180B27A87D17865D6B65FCDA77D87D3371D6419F86C76A550B709393297A5EAE6D5BF8A69FF21012F93EEC48A1CE01797C17971404BF6EF3257C3E0E7E6E690198C8A1B3A8520A150398D1E2A82B9AA19AF0E45F07756032B1994B4E37DCAC3E3B5AEDE894B31A1496ADCAD42982FA3E4396A673D82F72BCCAE97F7CAF1ED12AEB66CCA8F67BFA7D03C86B37A325C8B657E078795ED67FA384E95318BDAF4D02FCD013B488839C917C7EC8CABA1D1A4A16DD8EB75FA842A3CD135ED34446EC530E5BD1E931FF10D02303A3393F93CF97ECC6ACFF80B3F62EEAEB99054892F476D94F879E8C0E4E896586746917270B355385EE16D16BF31C64591D2781FBDF78F6FB3C34E98433448B43D6B490157DB8A858E6C558CF0EFD369648BA313BA533FC0200AB19A48068DB18BBC399D11A0AA0F6B4EFD0D76ED8FBE113FF91480A7EE35FAF309F17761B2CD4680C5AD7CDA1F7B6A8F1F84A97248392EEF2DE516CB89D0547E00F302F353BA867552AFF8966E968DF56853E562327EB0A2A1D8C0E235599C038A59F7AE86D46360284C9FCC81FCDCEEAD0E698369B50E16D878E7C9753552F3513F897D10E183EF085493AD78733A85D62F464E19D0D42D9BD0036ABCE8B4AF65A453F567BA3507866215613E406731AC7B8F1C5F20996A3319B87345FEF5DE9089964E0558DBA4A7CE3A6D64AFDDDF1F6F4FFF024C45562B1EFC1A544D06859B893F6A56EDE14D364EFCF4F22C98FBAE7D527A7C971DA48A8A540A4B68D91E4CB16FD8275C80F56CF6E7F993481932D20468F2555CAD23B432E6CC9E6B12C65C9AA8EDAD7B80
(PID) Process:(2800) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MobilePC
Operation:writeName:Eburquosd
Value:
593A938A29613B2A6EB1A7A37462661001316408FE4A5B5887BA929A09D8BC4A885E16E363ABA4F64BFD2D960844F893235247C67FAA077C195E7C310D5129E2C9B260A79941C1AED5C3B50BCCF34C4C6892C57AA982342D2D1DDCD7944F43FA60536B3E90B414649F43C88D854FE6F7244FCEFDC9AD41D4B3C3B6EB4115204C631F430379D108B01E963B8981036E756D5650D59A8A6A263D38BF7D3C7D3D8FA0E7695430A4EE475FD732A31904223703843F101F4FB49C853BC1376D0D815D0C2C564C6CA3005F0550D0D16C59AE52E13C12D89780815090127537C3EBD67633D9393FE1644B22945A6D408E923101F49D13C3A61BECAC112FBE34B55B6A30C98EAA9BCCDB63EE52D4CEE5625ED5BAD7870675AD1EAD11B8B7758C5A1F3252CF845F4998BE48DA224D0639BA4CC471F330D970B6AD36E1136260A1F7A7832D68EF2820ACE64F0A534EA680B0CF50D5602DF7F4984286730EC0E99F5FA52580519CFA20E9BF85A33AB0789410A7E9E49CE6594AE0B48D6043559FB30CED13EC62F3FF63E1184094412B05FF89DCEE2AB42542559865352CE79BCC066B25DB7DDB872B6490FD733F54CD170DC271EB8B081EE37BB1D75B8B454675F9E9AC903FD5A2D226AF3A775005A77FEE0DD9D0300D5B6CEDB52D5C559CCE710C59C5ABB494808C6B35D9BB3F60EF13EF45198FECC4C5B18BF02AC390A7C08FFE5C96778194A4B811293FCDB7EF675064728DB6BE265AF61B566A354F7C46C70AC5578FFAFDE2A52B9CCDD8CBE9EC72BF8F1E1CC01E21979D3160EF6BD3DCFB2C57CEE309B920C0ACD976AD32375C771EF05E7CF4DFC108FF071FD5952DC08DBCDED42F6408BBF22C10FC8117E1E2FD22EE845E1C721FF7F103C21EE1760EE513D5C2F21080CD949FEF605D4A6C0B021B68868363EEA93C64340818B95B2FCE0B042D4C8C6C84CAFE63287BBB94121689630760EE661791DA557C1FCDEE2062C8362C50585C46166AAE1A3D3EB7DC41386958FE7881BC04D9BD25355F8F51774C2FFAA032A096689B422B0EFA6FBD7EA669EC69A9E8CBF7F268E7BDCA9A9CA7F5DBEBE36681FD6B437EF41D329FC4520DFFFA0A8B498ED2D3599EE92C34393ACC7E30374AE6E73D2BA78C01285FBA2EA545EE0BF35931650AC4B102448A8EC9A2ACFDE84AE52E02717915C27B3DAE01D2B1795154B9B96F7DA6275DDFCC3142DE8A3CDF6BEFBF9F61BB0A95DB8DCD349BDB8550F5FA64683E44177E409D7998AD38EB7A8BA73E46FA76DBFFE2D65C3130A5092A311372940362EC3B93047E2A19A50C8C5C5D1372D33844F5024188ED0EB1B3EBBC5CF09009D2CB37BA13B6C12D8E4D18E4BE64F976FA36CC3097C74D7BF18F9EE05ADC4C65CA01136B63AE31330B88ECE7C5013A5407A5DB81111C8C799ED37BB26D24CB796BFC7160310052F0199DCCA3AD2C8AF9E9180790BE94B23239A674289E83255554A49BF68B1C253CE5F357CB1AB363798DC72B9128446654D9645253F92BC0881EB16B1D7E5F507BD5A5C062B755F1619F0263DBF72B3009561B223B2021E2695A2AEF7868A15615A8CCE82B3A5933877AEC0D18DFD6F19BF28581E9474E52D7942EEC9D2C6B223F8672E96A8ECDA658D12B574242ABCC4171D105BFCD0780D76061BD38FED0440C5718CA1BF9B621BC9D22F3A6128C34945E4E6936F683663294D60A6257F41C423EB00E489192C3D243A1A321045186470C0FB670685EE033A3A3A7928B1070F58A9721CFEBB048DCEF246D19694226D2F5371AE63E301110673EE746C8A11DD40DF612E1E530259DB5CB5F601D50017CF7F2DD1B7E8FEFBACFC46B3DA1D5F8AD34AF4F422C2B3E8147451E1C7513D1CB586479BF68354099726CAECC3A2A0BDCE916AA6F66D849C6F8643F1592758E99897DA54307807384F648458250E912DAA28142BFB9B51A7D49A74D6B51C4333270DCF01CF17C52631604E6F6415857576A877D5F73DD13B3DDE675AFF71EAEEA5BEDAD1274B0C89BC6AC254175F16C6A81D3E7E88824B23233C64EA2AB24BB1831C8E2D69B6B8C5E1101E4B6E7CFA959838E41843CABB49F1D6600C13D9AABF4B8BFF5FE723E776D0C95142C7829CBFCB9895CCB378FB79EDB22EEED93DAE3E562A143AE038573D96321809F21E122A161446FD7F64C9B2C8573F8249C34B515865358EA43DE0C12C725950DAB84CF47837D44755FC0143245E1BB0A156FAB3DB31E9A12A99D0347164F07EB2F85DF3E8B035ECC4997CD9BDC95A76F9085AE7F933F5E6A20598F871F05E1393C784B01A81300FABAE63335F8A9E34A2663E6C52241A5C42D799C5B262B45EB75CD2330BCB796852ABEB17D283B68F125F1C33C0FD5F998ADD21AD77321A28D7C7108B1EAE05FEEAFCEE51A3D5FBFA98B3E06916573D34A437BE159C33D8D1E906FF7170A43A3C8C7232BC14A05C6D48000F070F170C3877E09C01720BEFD7827F558FB7D8CD0B3B120C97AD922AABC4E5D678E9757E3B9
(PID) Process:(1296) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1296) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1296) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
43002017-11-16-Zeus-Panda-Banker.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\overrideMap.exeexecutable
MD5:EA69F211D3EF4B51FD00330DE8FE03CE
SHA256:73381DDDC426B49BAA445378853C761F411A5FE65B7DA736B91979645E5C703F
43002017-11-16-Zeus-Panda-Banker.exeC:\Users\admin\AppData\Local\Temp\upd52000765.battext
MD5:671CFA8BB4B43A62C9F7C1D1A2ED0E78
SHA256:5CE0037F0BFEB41B8BD01542E8FB97248E64CC09C2B1513D186F604B42CF0A01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5200
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5200
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5036
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.21.110.139:443
www.bing.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4308
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.21.110.139
  • 2.21.110.146
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.4
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
Process
Message
2017-11-16-Zeus-Panda-Banker.exe
vTqPc0
overrideMap.exe
vTqPc0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2017-11-16-Zeus-Panda-Banker.exe