File name:

PANDAFREEAV.exe

Full analysis: https://app.any.run/tasks/3ed4db66-7889-45d7-8e42-e972c95c8c5c
Verdict: Malicious activity
Analysis date: February 29, 2024, 14:51:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BC55EB7E07290B1C46C59497A850197E

SHA1:

B97FC19B756C9AEA60F223AC5323FAE2C6384CC0

SHA256:

76F6ADC970043817F3A9651E0ABFBA5A6B0BD3A052A52A1E8B7DB5B6737B9C56

SSDEEP:

98304:G/8MB7lwbHR2Tto2//us6qHyw239D3HS8cqWUqM7Prz+fQwx+HKSzsyytDs1fG73:09

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PANDAFREEAV.exe (PID: 2964)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • PANDAFREEAV.exe (PID: 2964)

    • The process drops C-runtime libraries

      • PANDAFREEAV.exe (PID: 2964)

    • Executable content was dropped or overwritten

      • PANDAFREEAV.exe (PID: 2964)

    • Reads the Internet Settings

      • Stub.exe (PID: 1876)

    • Reads security settings of Internet Explorer

      • Stub.exe (PID: 1876)

    • Process requests binary or script from the Internet

      • Stub.exe (PID: 1876)

  • INFO

    • Checks supported languages

      • PANDAFREEAV.exe (PID: 2964)
      • Stub.exe (PID: 1876)
      • wmpnscfg.exe (PID: 3276)

    • Reads Environment values

      • PANDAFREEAV.exe (PID: 2964)

    • Creates files in the program directory

      • Stub.exe (PID: 1876)

    • Create files in a temporary directory

      • PANDAFREEAV.exe (PID: 2964)
      • Stub.exe (PID: 1876)

    • Reads the computer name

      • Stub.exe (PID: 1876)
      • wmpnscfg.exe (PID: 3276)

    • Checks proxy server information

      • Stub.exe (PID: 1876)

    • Reads the machine GUID from the registry

      • Stub.exe (PID: 1876)

    • Creates files or folders in the user directory

      • Stub.exe (PID: 1876)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:14 10:09:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 257024
InitializedDataSize: 437760
UninitializedDataSize: -
EntryPoint: 0x28a10
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 15.14.5.0
ProductVersionNumber: 15.14.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Panda Security, S.L.
FileDescription: Panda Security SFX
FileVersion: 15.14.5.0
InternalName: 7zS.sfx
LegalCopyright: © Panda 2019
OriginalFileName: 7zS.sfx.exe
ProductName: Panda Security SelfExtrator
ProductVersion: 15.14
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pandafreeav.exe stub.exe wmpnscfg.exe no specs pandafreeav.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1876".\Stub.exe" /c "181305" /u "http://acs.pandasoftware.com/Panda/FREEAV/181305/FREEAV.exe" /a "CNTPZFPR1M1016" /p "4252"C:\Users\admin\AppData\Local\Temp\7zS49B24D38\Stub.exe
PANDAFREEAV.exe
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
HIGH
Exit code:
0
Version:
5.0.38.3
Modules
Images
c:\users\admin\appdata\local\temp\7zs49b24d38\stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2160"C:\Users\admin\AppData\Local\Temp\PANDAFREEAV.exe" C:\Users\admin\AppData\Local\Temp\PANDAFREEAV.exeexplorer.exe
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
MEDIUM
Description:
Panda Security SFX
Exit code:
3221226540
Version:
15.14.5.0
Modules
Images
c:\users\admin\appdata\local\temp\pandafreeav.exe
c:\windows\system32\ntdll.dll
2964"C:\Users\admin\AppData\Local\Temp\PANDAFREEAV.exe" C:\Users\admin\AppData\Local\Temp\PANDAFREEAV.exe
explorer.exe
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
HIGH
Description:
Panda Security SFX
Exit code:
0
Version:
15.14.5.0
Modules
Images
c:\users\admin\appdata\local\temp\pandafreeav.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3276"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
1 255
Read events
1 237
Write events
13
Delete events
5

Modification events

(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:PandaRunOnce
Value:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(1876) Stub.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
8
Suspicious files
1
Text files
37
Unknown types
1

Dropped files

PID
Process
Filename
Type
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\final_img.pngimage
MD5:30595BC50C0660181E78FCC5CE594EC9
SHA256:3E20967850F3604DA98B070C8A82FD161B454E9B974B67503B04B04A39E254A1
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\atras.pngimage
MD5:6F14ADB92D1AA42AD923182993281A21
SHA256:53F1830AE5664ABA50EDB70017519DB778953A269E4178566328A5328F422CEA
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\img_product1.pngimage
MD5:1714652A08968AAB7E4CCC1801E0050F
SHA256:EF693F45D5CFBE30A3F4F0081DAED414390B412DE0946CD45C14B9B218868390
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\img_product2.pngimage
MD5:FD92546FC781EFEF844196C15E45F570
SHA256:99466F827368EF2FE2783E0112B683FDB29973055BEA1D88B30462918D776993
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\avDetect.datgpg
MD5:9A17B5AC44705CC4BC3608C6232E1F16
SHA256:4AD849F737B18084B060828C7CCA48BCF512CC2ADA2A937F5CFBAB79F1B29677
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\ico_ven_cancel.pngimage
MD5:D3D94C8ACB4CE42424526DA2DCF5DF39
SHA256:4E67660226A201929A6CF6D75CBA7681FA278D30541D412458768FF785EA886B
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\opera_bul.pngimage
MD5:6BE345E9B3C61C4ABAFEEAEE15BB6DC6
SHA256:5E6E8C18F239E740A842A167289C48D5DD8A72CBFB0519C83FA5AF7FBD61FC7D
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\cancel.pngimage
MD5:DC86C6898184A6335C26F7830A67B6B0
SHA256:BB138DA55A6362AFC4851C30C23BE279B08B1FFA2B4D3170A715C7571C46E5C1
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\background.pngimage
MD5:66F91F2B36927E1B51344BDA4B373B04
SHA256:DAE5E3F303D3CAB68A7D920F081923BF89DD8FD1C58621C6BC3CAD8B880F1494
2964PANDAFREEAV.exeC:\Users\admin\AppData\Local\Temp\7zS49B24D38\res\opera_dan.pngimage
MD5:0D1A2B6C14E6351B1A92133297D565C5
SHA256:5CB0D9BC99F4B17B9E8DE4CEE5E15C91D080B2E0F83B9FFECC8830DCA39C5ACA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
16
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1876
Stub.exe
GET
200
2.22.242.114:80
http://acs.pandasoftware.com/Panda/FREEAV/Promo_pd/FREEAV_INST.txt
unknown
text
175 b
unknown
1876
Stub.exe
GET
2.22.242.139:80
http://acs.pandasoftware.com/Panda/FREEAV/181305/FREEAV.exe
unknown
unknown
1876
Stub.exe
GET
2.22.242.139:80
http://acs.pandasoftware.com/Panda/FREEAV/181305/FREEAV.exe
unknown
unknown
1876
Stub.exe
GET
2.22.242.139:80
http://acs.pandasoftware.com/Panda/FREEAV/181305/FREEAV.exe
unknown
unknown
1876
Stub.exe
GET
2.22.242.139:80
http://acs.pandasoftware.com/Panda/FREEAV/181305/FREEAV.exe
unknown
unknown
1876
Stub.exe
GET
2.22.242.139:80
http://acs.pandasoftware.com/Panda/FREEAV/181305/FREEAV.exe
unknown
unknown
1876
Stub.exe
GET
200
40.69.210.172:80
http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1103&Installation_End=OK&ProductID=4252&Stub_Event=StartInst&_ei=2EBB99B4-E107-407C-8B06-854AA20BC342&_es=1&_et=Stub&_lt=20240229145142
unknown
unknown
1876
Stub.exe
GET
200
40.69.210.172:80
http://eventtrack.pandasecurity.com/track/install/details.html?Stub_Event=Start&_ei=0AB49611-3BE1-443C-B924-A4A635783948&_es=1&_et=Stub&_lt=20240229145144
unknown
unknown
1876
Stub.exe
GET
200
40.69.210.172:80
http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1104&Installation_End=OK&Stub_Event=StartInst&_ei=43925956-7CBC-42BC-8311-18A97618E052&_es=1&_et=Stub&_lt=20240229145210
unknown
unknown
1876
Stub.exe
GET
2.22.242.114:80
http://acs.pandasoftware.com/Panda/FREEAV/img_pd/Page_1_en.png
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1876
Stub.exe
40.69.210.172:80
eventtrack.pandasecurity.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1876
Stub.exe
2.22.242.114:80
acs.pandasoftware.com
Akamai International B.V.
DE
unknown
1876
Stub.exe
2.22.242.139:80
acs.pandasoftware.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
eventtrack.pandasecurity.com
  • 40.69.210.172
unknown
acs.pandasoftware.com
  • 2.22.242.114
  • 2.22.242.139
whitelisted

Threats

PID
Process
Class
Message
1876
Stub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1876
Stub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1876
Stub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1876
Stub.exe
Misc activity
ET INFO Packed Executable Download
1876
Stub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1876
Stub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PANDAFREEAV.exe