General Info

File name

SQLi Dumper v.8.0.rar

Full analysis
https://app.any.run/tasks/c6e243e0-8dab-491d-b297-4ca8298f0bdd
Verdict
Malicious activity
Analysis date
4/15/2019, 04:32:35
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v4, os: Win32
MD5

a248bed1a043be09d6a39c2429deedd4

SHA1

41f83a7d85d1bdc1e5a42b9f50d6d1d309d86cd1

SHA256

97a35fe7953ec05c1ae408f6f3ce19286987d9887ffce114a8e33aeb82471ed6

SSDEEP

98304:/uYeOJic6BUfmfZaRqv1Eod8+N6jqnrmjyJH7vIdYWSJG:/uJK6BQmagEP+NmWXxs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • SQLi Dumper v.8.0.exe (PID: 3156)
Application was dropped or rewritten from another process
  • SQLi ask v.8.0.exe (PID: 3804)
  • SQLi Dumper v.8.0.exe (PID: 3156)
  • SQLi Dumper v.8.0.exe (PID: 1628)
Changes settings of System certificates
  • SQLi ask v.8.0.exe (PID: 3804)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3024)
  • SQLi Dumper v.8.0.exe (PID: 3156)
Adds / modifies Windows certificates
  • SQLi ask v.8.0.exe (PID: 3804)
Reads internet explorer settings
  • SQLi ask v.8.0.exe (PID: 3804)
Creates files in the program directory
  • SQLi Dumper v.8.0.exe (PID: 3156)
Reads settings of System Certificates
  • SQLi ask v.8.0.exe (PID: 3804)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)
EXIF
ZIP
CompressedSize:
1875715
UncompressedSize:
4200448
OperatingSystem:
Win32
ModifyDate:
2015:04:18 00:08:19
PackingMethod:
Normal
ArchivedFileName:
SQLi Dumper v.8.0.exe

Screenshots

Processes

Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start drop and start start drop and start winrar.exe sqli dumper v.8.0.exe no specs sqli dumper v.8.0.exe sqli ask v.8.0.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3024
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLi Dumper v.8.0.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa3024.8675\sqli dumper v.8.0.exe

PID
1628
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
SQLi Dumper v.8.0
Description
SQLi Dumper v.8.0
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3024.8675\sqli dumper v.8.0.exe
c:\systemroot\system32\ntdll.dll

PID
3156
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
SQLi Dumper v.8.0
Description
SQLi Dumper v.8.0
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3024.8675\sqli dumper v.8.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.remo#\5cae93d923c8378370758489e5535820\system.runtime.remoting.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\google\chrome\application\ask toolbar chrome.exe
c:\program files\mozilla firefox\ask toolbar firefox.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\rar$exa3024.8675\sqli ask v.8.0\sqli ask v.8.0.exe
c:\windows\system32\netutils.dll

PID
3804
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\SQLi ask v.8.0.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\SQLi ask v.8.0.exe
Indicators
Parent process
SQLi Dumper v.8.0.exe
User
admin
Integrity Level
HIGH
Version:
Company
[email protected]
Description
SQLi Dumper
Version
7.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3024.8675\sqli ask v.8.0\sqli ask v.8.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runt73a1fc9d#\647f9e8a4465888d8348c3f66611c463\system.runtime.remoting.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\032f5fa875be86b577722ddeeee2e51c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sxs.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\assembly\gac\microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\microsoft.mshtml.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\14da86a7ddbf09bd27b30061ff9a4f5e\system.web.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\webengine4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\cd7ca8846a122a7e690e11c4611bc902\system.numerics.ni.dll

Registry activity

Total events
966
Read events
918
Write events
48
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3024
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\SQLi Dumper v.8.0.rar
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3024
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3156
SQLi Dumper v.8.0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Ask Toolbar Chrome
C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.lnk
3156
SQLi Dumper v.8.0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Ask Toolbar Firefox
C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.lnk
3156
SQLi Dumper v.8.0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3156
SQLi Dumper v.8.0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3804
SQLi ask v.8.0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3804
SQLi ask v.8.0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names
4QEsxaATyeGdRP0pc5xzc2DmxsaGbXTZEwrqR7jlKQuDVYHTNhJOCCGbmjkwkhn90I8XYnRVWe2x3LIQudZWb8074hiWIt9RFwokVEzsQiZzeQOiBX7bEh
3804
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASAPI32
EnableFileTracing
0
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASAPI32
EnableConsoleTracing
0
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASAPI32
FileTracingMask
4294901760
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASAPI32
ConsoleTracingMask
4294901760
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASAPI32
MaxFileSize
1048576
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASAPI32
FileDirectory
%windir%\tracing
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASMANCS
EnableFileTracing
0
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASMANCS
EnableConsoleTracing
0
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASMANCS
FileTracingMask
4294901760
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASMANCS
ConsoleTracingMask
4294901760
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASMANCS
MaxFileSize
1048576
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi ask v_RASMANCS
FileDirectory
%windir%\tracing
3804
SQLi ask v.8.0.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Blob
0400000001000000100000009414777E3E5EFD8F30BD41B0CFE7D0300F0000000100000014000000BF4D2C390BBF0AA3A2B7EA2DC751011BF5FD422E090000000100000068000000306606082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030806082B06010505070309060A2B0601040182370A030406082B0601050507030606082B0601050507030706082B060105050802020B000000010000005C00000047006F006F0067006C00650020005400720075007300740020005300650072007600690063006500730020002D00200047006C006F00620061006C005300690067006E00200052006F006F0074002000430041002D005200320000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E1400000001000000140000009BE20757671C1EC06A06DE59B49A2DDFDC19862E1D000000010000001000000073621E116224668780B2D2BEE454E52E03000000010000001400000075E0ABB6138512271C04F85FDDDE38E4B7242EFE190000000100000010000000A8827A3CBD2D87D783B59B8062C87E9A2000000001000000BE030000308203BA308202A2A003020102020B0400000000010F8626E60D300D06092A864886F70D0101050500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523231133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3036313231353038303030305A170D3231313231353038303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523231133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100A6CF240EBE2E6F28994542C4AB3E21549B0BD37F8470FA12B3CBBF875FC67F86D3B2305CD6FDADF17BDCE5F86096099210F5D053DEFB7B7E7388AC52887B4AA6CA49A65EA8A78C5A11BC7A82EBBE8CE9B3AC962507974A992A072FB41E77BF8A0FB5027C1B96B8C5B93A2CBCD612B9EB597DE2D006865F5E496AB5395E8834ECBC780C0898846CA8CD4BB4A07D0C794DF0B82DCB21CAD56C5B7DE1A02984A1F9D39449CB24629120BCDD0BD5D9CCF9EA270A2B7391C69D1BACC8CBE8E0A0F42F908B4DFBB0361BF6197A85E06DF26113885C9FE0930A51978A5ACEAFABD5F7AA09AA60BDDCD95FDF72A960135E0001C94AFA3FA4EA070321028E82CA03C29B8F0203010001A3819C308199300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604149BE20757671C1EC06A06DE59B49A2DDFDC19862E30360603551D1F042F302D302BA029A0278625687474703A2F2F63726C2E676C6F62616C7369676E2E6E65742F726F6F742D72322E63726C301F0603551D230418301680149BE20757671C1EC06A06DE59B49A2DDFDC19862E300D06092A864886F70D01010505000382010100998153871C68978691ECE04AB8440BAB81AC274FD6C1B81C4378B30C9AFCEA2C3C6E611B4D4B29F59F051D26C1B8E983006245B6A90893B9A9334B189AC2F887884EDBDD71341AC154DA463FE0D32AAB6D5422F53A62CD206FBA2989D7DD91EED35CA23EA15B41F5DFE564432DE9D539ABD2A2DFB78BD0C080191C45C02D8CE8F82DA4745649C505B54F15DE6E44783987A87EBBF3791891BBF46F9DC1F08C358C5D01FBC36DB9EF446D7946317E0AFEA982C1FFEFAB6E20C450C95F9D4D9B178C0CE501C9A0416A7353FAA550B46E250FFB4C18F4FD52D98E69B1E8110FDE88D8FB1D49F7AADE95CF2078C26012DB25408C6AFC7E4238406412F79E81E1932E
3804
SQLi ask v.8.0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68

Files activity

Executable files
5
Suspicious files
2
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe
executable
MD5: 925fbff2922b4c3db86d74081da16042
SHA256: ada3f7924e51055e0d27ef17bc78d8ac7898a89487c29acb25985f1b3e975e47
3156
SQLi Dumper v.8.0.exe
C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.exe
executable
MD5: 64e1afa6fb8e0223cba7e91bbe98900c
SHA256: e4536059749871614abc0970ffc4910483aece65563e37ea3f6e2ef91f74e8b5
3156
SQLi Dumper v.8.0.exe
C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.exe
executable
MD5: 64e1afa6fb8e0223cba7e91bbe98900c
SHA256: e4536059749871614abc0970ffc4910483aece65563e37ea3f6e2ef91f74e8b5
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\SQLi ask v.8.0.exe
executable
MD5: be1088e8aae934834be0ca831e609055
SHA256: 6bddca0de3cc4c39ebf9411a020d7a465915707ddf63a45161cf57537d414c52
3156
SQLi Dumper v.8.0.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\SQLi ask v.8.0.exe
executable
MD5: be1088e8aae934834be0ca831e609055
SHA256: 6bddca0de3cc4c39ebf9411a020d7a465915707ddf63a45161cf57537d414c52
3156
SQLi Dumper v.8.0.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\Settings
xml
MD5: 1b17de3ce85d92d0de568556a87227f8
SHA256: 88ab60c265a2966766b7d914a2e57d36023877eb24ea86deb1eb4600d9ae4fe7
3156
SQLi Dumper v.8.0.exe
C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.lnk
lnk
MD5: 5acedcbc1559513bd85df3d108302605
SHA256: f42df2b0199d1fac003ad23b02d92e04acd49ee3fdbf2a917ac835abc6990d5c
3156
SQLi Dumper v.8.0.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\GeoIP.dat
binary
MD5: cb9ad69965f9f4cff8572983f60be67c
SHA256: 56c7079dc309168d9c41dd4a7a61033acd264a120ca8d2e2182abb5b9ae6b0a3
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\Settings.xml
xml
MD5: b7497045cf6de20131b3cb512a310480
SHA256: 27f668f0265a280657a47d3fbfab80ba6b13c0bdb0cbcedd65e8b43b9f8a5b10
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\DIC\dic_admin.txt
text
MD5: a0e54634ddd435df5b82e20ea20c7efe
SHA256: 963e3a1e46d5f4c35b85464db61b7c346c5c44669e64a5c016192dde078f997a
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\DIC\dic_file_dump.txt
text
MD5: 351cacffc2884fcd4e69bb1fb04ddeb5
SHA256: c67bcc0b4ed5e5ef72aa1134c0838d9201a97c2bf462fdff0ac9052a53b286a2
3156
SQLi Dumper v.8.0.exe
C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.lnk
lnk
MD5: 8f799d1f778f73d0800828c41d9d1c60
SHA256: 2abe97bf9d478eb55dcbe32a0fa88b72f1a19d84504808a14f2cbdf0511f7b50
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\Settings
xml
MD5: 1b17de3ce85d92d0de568556a87227f8
SHA256: 88ab60c265a2966766b7d914a2e57d36023877eb24ea86deb1eb4600d9ae4fe7
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\GeoIP.dat
binary
MD5: cb9ad69965f9f4cff8572983f60be67c
SHA256: 56c7079dc309168d9c41dd4a7a61033acd264a120ca8d2e2182abb5b9ae6b0a3
3024
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\ErrLog.txt
text
MD5: f9103c4a4c8b9d1207558867e5e02426
SHA256: 22506505fb138e35b712a7db37d8342bedd87e6d568a576399294cd79144b5e4
3156
SQLi Dumper v.8.0.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\ErrLog.txt
text
MD5: f9103c4a4c8b9d1207558867e5e02426
SHA256: 22506505fb138e35b712a7db37d8342bedd87e6d568a576399294cd79144b5e4

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
109
TCP/UDP connections
60
DNS requests
10
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.13.145.10:80 http://pesquisa.sapo.pt/?q=%3fitem_id%3d PT
xml
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 151.101.2.114:80 http://www.ask.com/web?q=%3fitem_id%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=%3fitem_id%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d unknown
––
––
malicious
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/yandsearch?text=%3fitem_id%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=article+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=50&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.13.145.10:80 http://pesquisa.sapo.pt/?q=article+%3fid%3d PT
xml
malicious
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=%3fitem_id%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET –– 151.101.2.114:80 http://www.ask.com/web?q=%3fitem_id%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Darticle%2B%253fid%253d_bafab230d87f794ce18359f6665d2099&t=0/1555295622/fa08dbcebc25147c4138abb5512556de&s=51d07f4fe65eaf24a8ae155a388466d6 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET –– 212.82.100.137:80 http://www.wow.com/search?q=%3fitem_id%3d CH
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=article+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=100&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=%3fitem_id%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Darticle%2B%253fid%253d_bafab230d87f794ce18359f6665d2099&t=0/1555295623/7b12669e7261aeaa2c5e87e8c8213757&s=e073810253b174adb10452f2e90ce3de RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.13.145.10:80 http://pesquisa.sapo.pt/?q=detail+%3fid%3d PT
xml
malicious
3804 SQLi ask v.8.0.exe GET –– 151.101.2.114:80 http://www.ask.com/web?q=%3fitem_id%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=article+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=150&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Darticle%2B%253fid%253d_bafab230d87f794ce18359f6665d2099&t=0/1555295624/b6700fe03c488d17ef98c6c48c5ba2f5&s=7ba9037305483f7b869fbf5e671d9792 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=%3fitem_id%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 213.13.145.10:80 http://pesquisa.sapo.pt/?q=newscat+%3fid%3d PT
xml
malicious
3804 SQLi ask v.8.0.exe GET –– 151.101.2.114:80 http://www.ask.com/web?q=%3fitem_id%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=200&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=article+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=%3fitem_id%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Darticle%2B%253fid%253d_bafab230d87f794ce18359f6665d2099&t=0/1555295625/5db08821054a87b105b825ed22a47c4e&s=75c505eb45f981a3a0d15b18ab980106 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 213.13.145.10:80 http://pesquisa.sapo.pt/?q=readnews+%3fid%3d PT
xml
malicious
3804 SQLi ask v.8.0.exe GET –– 151.101.2.114:80 http://www.ask.com/web?q=%3fitem_id%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET –– 212.82.100.137:80 http://www.wow.com/search?q=%3fitem_id%3d CH
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=%3fitem_id%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=250&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=article+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Darticle%2B%253fid%253d_bafab230d87f794ce18359f6665d2099&t=0/1555295626/894186fae8f008afc3038b61ee3956c3&s=8ff6bfed5fea7aed6006d2b906274c29 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=article+%3fid%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET –– 151.101.2.114:80 http://www.ask.com/web?q=article+%3fid%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=article+%3fid%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=300&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=detail+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=article+%3fid%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Ddetail%2B%253fid%253d_7944428758e54a9596a215f733c3924a&t=0/1555295627/ae17dbd6252843cdfbc8b3949288e1df&s=70201d2c442a7eb10d8b2887a99e62a5 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 301 151.101.2.114:80 http://www.ask.com/web?q=article+%3fid%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=article+%3fid%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=350&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=detail+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=article+%3fid%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Ddetail%2B%253fid%253d_7944428758e54a9596a215f733c3924a&t=0/1555295628/6a29fd916d0984a74fca1758a02e2257&s=795fc5091a6e1451bacc3e0297ceec19 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 301 151.101.2.114:80 http://www.ask.com/web?q=article+%3fid%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=article+%3fid%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=400&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=article+%3fid%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=detail+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Ddetail%2B%253fid%253d_7944428758e54a9596a215f733c3924a&t=0/1555295629/f3d18361afc9bd616f828dca1eec79af&s=160c19b19c8f2b0f0fc34429229170e8 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 301 151.101.2.114:80 http://www.ask.com/web?q=article+%3fid%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=article+%3fid%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=450&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=article+%3fid%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=detail+%3fid%3d RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 200 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Ddetail%2B%253fid%253d_7944428758e54a9596a215f733c3924a&t=0/1555295630/867bd9ff50d527d4bc45245843423b09&s=873acb55dd92af3e8a49b8324740c1c1 RU
html
whitelisted
3804 SQLi ask v.8.0.exe GET 302 2.18.232.251:80 http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=article+%3fid%3d unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 301 151.101.2.114:80 http://www.ask.com/web?q=article+%3fid%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.aol.com/aol/search?&q=%3fitem_id%3d CH
text
malicious
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://www.wow.com/search?q=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 301 212.82.100.137:80 http://search.yahoo.com/search?n=100&p=article+%3fid%3d CH
text
whitelisted
3804 SQLi ask v.8.0.exe GET 200 2.18.232.251:80 http://search.mywebsearch.com/assets/accessdenied/default.htm unknown
html
malicious
3804 SQLi ask v.8.0.exe GET 200 204.79.197.200:80 http://www.bing.com/search?q=%3fitem_id%3d&first=500&count=50 US
html
whitelisted
3804 SQLi ask v.8.0.exe GET 504 52.17.173.115:80 http://www.webcrawler.com/search/web?q=detail+%3fid%3d IE
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET 302 213.180.204.62:80 http://www.yandex.com/yandsearch?text=detail+%3fid%3d RU
html
whitelisted
–– –– GET –– 151.101.2.114:80 http://www.ask.com/web?q=detail+%3fid%3d US
––
––
whitelisted
3804 SQLi ask v.8.0.exe GET –– 213.180.204.62:80 http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Ddetail%2B%253fid%253d_7944428758e54a9596a215f733c3924a&t=0/1555295632/33ed8485b77bf8dc40aab084a41dc904&s=e2de324a4721610c18f86b0a5dab6bf5 RU
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3804 SQLi ask v.8.0.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3804 SQLi ask v.8.0.exe 212.82.100.137:80 Yahoo! UK Services Limited CH shared
3804 SQLi ask v.8.0.exe 213.13.145.10:80 Servicos De Comunicacoes E Multimedia S.A. PT malicious
3804 SQLi ask v.8.0.exe 216.58.205.228:443 Google Inc. US whitelisted
3804 SQLi ask v.8.0.exe 151.101.2.114:80 Fastly US unknown
3804 SQLi ask v.8.0.exe 52.17.173.115:80 Amazon.com, Inc. IE unknown
3804 SQLi ask v.8.0.exe 2.18.232.251:80 Akamai International B.V. –– whitelisted
3804 SQLi ask v.8.0.exe 213.180.204.62:80 YANDEX LLC RU whitelisted
3804 SQLi ask v.8.0.exe 151.101.2.114:443 Fastly US unknown
3804 SQLi ask v.8.0.exe 212.82.100.137:443 Yahoo! UK Services Limited CH shared
–– –– 151.101.2.114:443 Fastly US unknown
–– –– 212.82.100.137:80 Yahoo! UK Services Limited CH shared
–– –– 151.101.2.114:80 Fastly US unknown

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
search.mywebsearch.com 2.18.232.251
malicious
www.google.com 216.58.205.228
whitelisted
www.yandex.com 213.180.204.62
whitelisted
pesquisa.sapo.pt 213.13.145.10
malicious
www.wow.com 212.82.100.137
whitelisted
search.aol.com 212.82.100.137
malicious
www.webcrawler.com 52.17.173.115
34.241.67.236
63.33.80.171
whitelisted
www.ask.com 151.101.2.114
151.101.66.114
151.101.130.114
151.101.194.114
whitelisted
search.yahoo.com 212.82.100.137
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.