File name:

PanLoaderInstall.exe

Full analysis: https://app.any.run/tasks/354f0f91-760f-4ec2-a08f-30c49386d218
Verdict: Malicious activity
Analysis date: June 06, 2024, 04:01:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BE4B4731CEF4D0386F5F9DA39BB1B2B5

SHA1:

D1DF968DC5C453A848644923C229430D80E421A7

SHA256:

B05CC5CB1F19C77676C0E68EA87A32BFB9164086E270D5DBE6E0E65CED5DEE93

SSDEEP:

24576:hBg+wm9/IqgJDOStf1I4xand3v9rIUyqUtDFlP2u5PvRxhNc:hBcBqgJDOStf1I4xanBv9rIUyqUtDFl+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PanLoaderInstall.exe (PID: 3968)
      • PanLoaderInstall.exe (PID: 1024)
      • PanLoaderInstall.tmp (PID: 1020)

    • Changes the autorun value in the registry

      • PanLoaderInstall.tmp (PID: 1020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PanLoaderInstall.exe (PID: 3968)
      • PanLoaderInstall.exe (PID: 1024)
      • PanLoaderInstall.tmp (PID: 1020)

    • Reads the Windows owner or organization settings

      • PanLoaderInstall.tmp (PID: 1020)

    • Process drops legitimate windows executable

      • PanLoaderInstall.tmp (PID: 1020)

    • Application launched itself

      • panLoad.exe (PID: 2044)

    • Executing commands from a ".bat" file

      • PanLoaderInstall.tmp (PID: 1020)

    • Starts CMD.EXE for commands execution

      • PanLoaderInstall.tmp (PID: 1020)

  • INFO

    • Checks supported languages

      • PanLoaderInstall.exe (PID: 1024)
      • PanLoaderInstall.tmp (PID: 3984)
      • PanLoaderInstall.exe (PID: 3968)
      • PanLoaderInstall.tmp (PID: 1020)
      • panLoad.exe (PID: 2044)
      • panLoad.exe (PID: 372)

    • Create files in a temporary directory

      • PanLoaderInstall.exe (PID: 3968)
      • PanLoaderInstall.exe (PID: 1024)
      • PanLoaderInstall.tmp (PID: 1020)
      • panLoad.exe (PID: 2044)
      • panLoad.exe (PID: 372)

    • Reads the computer name

      • PanLoaderInstall.tmp (PID: 3984)
      • PanLoaderInstall.tmp (PID: 1020)

    • Creates files in the program directory

      • PanLoaderInstall.tmp (PID: 1020)

    • Creates a software uninstall entry

      • PanLoaderInstall.tmp (PID: 1020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.9.1.0
ProductVersionNumber: 3.9.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: EspiralMS
FileDescription: PanLoader Installer
FileVersion: 3.9.1.0
LegalCopyright: EspiralMS 2023
ProductName: ProactivaNET
ProductVersion: 3.9.1.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start panloaderinstall.exe panloaderinstall.tmp no specs panloaderinstall.exe panloaderinstall.tmp cmd.exe no specs schtasks.exe no specs panload.exe no specs panload.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124schtasks /query /tn "ProactivaNET - Panloader"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
372"C:\Program Files\EspiralMS\PanLoader\files\panload.exe" /ndC:\Program Files\EspiralMS\PanLoader\files\panLoad.exepanLoad.exe
User:
admin
Company:
Espiral MS www.espiralms.com
Integrity Level:
HIGH
Description:
ProactivaNET PanLoader
Version:
3.11.0.0
Modules
Images
c:\program files\espiralms\panloader\files\panload.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
1020"C:\Users\admin\AppData\Local\Temp\is-Q1RUS.tmp\PanLoaderInstall.tmp" /SL5="$30130,312954,54272,C:\Users\admin\AppData\Local\Temp\PanLoaderInstall.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-Q1RUS.tmp\PanLoaderInstall.tmp
PanLoaderInstall.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-q1rus.tmp\panloaderinstall.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1024"C:\Users\admin\AppData\Local\Temp\PanLoaderInstall.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\PanLoaderInstall.exe
PanLoaderInstall.tmp
User:
admin
Company:
EspiralMS
Integrity Level:
HIGH
Description:
PanLoader Installer
Exit code:
0
Version:
3.9.1.0
Modules
Images
c:\users\admin\appdata\local\temp\panloaderinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1036"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\EspiralMS\PanLoader\files\unschedtask.bat""C:\Windows\System32\cmd.exePanLoaderInstall.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2044"C:\Program Files\EspiralMS\PanLoader\files\panload.exe"C:\Program Files\EspiralMS\PanLoader\files\panLoad.exePanLoaderInstall.tmp
User:
admin
Company:
Espiral MS www.espiralms.com
Integrity Level:
HIGH
Description:
ProactivaNET PanLoader
Exit code:
0
Version:
3.11.0.0
Modules
Images
c:\program files\espiralms\panloader\files\panload.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3968"C:\Users\admin\AppData\Local\Temp\PanLoaderInstall.exe" C:\Users\admin\AppData\Local\Temp\PanLoaderInstall.exe
explorer.exe
User:
admin
Company:
EspiralMS
Integrity Level:
MEDIUM
Description:
PanLoader Installer
Exit code:
0
Version:
3.9.1.0
Modules
Images
c:\users\admin\appdata\local\temp\panloaderinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3984"C:\Users\admin\AppData\Local\Temp\is-C9AB9.tmp\PanLoaderInstall.tmp" /SL5="$20138,312954,54272,C:\Users\admin\AppData\Local\Temp\PanLoaderInstall.exe" C:\Users\admin\AppData\Local\Temp\is-C9AB9.tmp\PanLoaderInstall.tmpPanLoaderInstall.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-c9ab9.tmp\panloaderinstall.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
2 992
Read events
2 945
Write events
35
Delete events
12

Modification events

(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
FC0300003CD7EA4CC6B7DA01
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
ABA1F8832E1396B59AF96FAE3074BE4186BC3176DAFF608ED975B0BF07287854
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\EspiralMS\PanLoader\files\panLoad.exe
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
9A10A5E4741AF44816E402731556D700426FE1EFCA5A5690A3951AF7E7400E5D
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ESPIRALMS\PANET\PANLOADER
Operation:delete valueName:PANURL
Value:
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ESPIRALMS\PANET\PANLOADER
Operation:writeName:PANURL
Value:
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ESPIRALMS\PANET\PANLOADER
Operation:delete valueName:AGENT
Value:
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ESPIRALMS\PANET\PANLOADER
Operation:writeName:AGENT
Value:
0
(PID) Process:(1020) PanLoaderInstall.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\ESPIRALMS\PANET\PANLOADER
Operation:delete valueName:LOADER
Value:
Executable files
16
Suspicious files
0
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\files\panLoad.exeexecutable
MD5:731A5DD870669106F902BCA80F03006B
SHA256:8B855D4D16ED9EBFABE20C181616976B1A09383C7CDAAED28CCF1CBDF2EE7C79
3968PanLoaderInstall.exeC:\Users\admin\AppData\Local\Temp\is-C9AB9.tmp\PanLoaderInstall.tmpexecutable
MD5:15430669556C2062CEADD5B125E8CEA7
SHA256:64DB719C67988B106BF2D1A5B842445E8FF9B6436BE28BCAA0B8876D330F8168
1020PanLoaderInstall.tmpC:\Users\admin\AppData\Local\Temp\is-7KKAA.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1024PanLoaderInstall.exeC:\Users\admin\AppData\Local\Temp\is-Q1RUS.tmp\PanLoaderInstall.tmpexecutable
MD5:15430669556C2062CEADD5B125E8CEA7
SHA256:64DB719C67988B106BF2D1A5B842445E8FF9B6436BE28BCAA0B8876D330F8168
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\files\setacl.exeexecutable
MD5:ACDE12FA9A971A254C76C34C0BBE8608
SHA256:243DEE6B04AA006BAEE70922DBE9AA80FD0682CBEF5E12AD1540CFD8D1188705
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\is-GBCD6.tmpexecutable
MD5:5C26183EBB2518F60F873B8EB8037EBA
SHA256:7E3B8FE52347ADFC8068E22C48B49D95A050B21EBAF2DD8B6BF02CC572BB023A
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\is-JB9BD.tmpexecutable
MD5:731A5DD870669106F902BCA80F03006B
SHA256:8B855D4D16ED9EBFABE20C181616976B1A09383C7CDAAED28CCF1CBDF2EE7C79
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\unins000.exeexecutable
MD5:5C26183EBB2518F60F873B8EB8037EBA
SHA256:7E3B8FE52347ADFC8068E22C48B49D95A050B21EBAF2DD8B6BF02CC572BB023A
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\files\is-5JVTN.tmpexecutable
MD5:ACDE12FA9A971A254C76C34C0BBE8608
SHA256:243DEE6B04AA006BAEE70922DBE9AA80FD0682CBEF5E12AD1540CFD8D1188705
1020PanLoaderInstall.tmpC:\Program Files\EspiralMS\PanLoader\files\is-1VSAR.tmpexecutable
MD5:731A5DD870669106F902BCA80F03006B
SHA256:8B855D4D16ED9EBFABE20C181616976B1A09383C7CDAAED28CCF1CBDF2EE7C79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PanLoaderInstall.exe