Malware analysis ibd2sql-main.zip Malicious activity | ANY.RUN

Add for printing

File name:	ibd2sql-main.zip
Full analysis:	https://app.any.run/tasks/4309edba-3e43-4334-adb5-2ee551dbb2d5
Verdict:	Malicious activity
Analysis date:	August 18, 2024, 18:20:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	75CB4CD94AEAA270E4F05A2EB55210D8
SHA1:	D382E74DBD99FE131E16AA31A962BDD8096CF0B3
SHA256:	D320279923973B7700E7A5306ABA163D8E0FDC6FAF89ED54202356EFF94D4CE9
SSDEEP:	1536:aIaM6NU3RbI+ZxFro4givOTwCn/46OUlFDjXSFaXgIuBlj2C/P:aIaTf+HFr1g+OEA5OuXXSoMBlj2eP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - python-3.12.5-amd64.exe (PID: 8100)
SUSPICIOUS
- Executable content was dropped or overwritten
  - python-3.12.5-amd64.exe (PID: 8100)
  - python-3.12.5-amd64.exe (PID: 8000)
- Searches for installed software
  - python-3.12.5-amd64.exe (PID: 8100)
- Creates a software uninstall entry
  - python-3.12.5-amd64.exe (PID: 8100)
- The process drops C-runtime libraries
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Process drops legitimate windows executable
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Drops the executable file immediately after the start
  - python-3.12.5-amd64.exe (PID: 8100)
  - python-3.12.5-amd64.exe (PID: 8000)
  - msiexec.exe (PID: 5244)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 5244)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 5244)
INFO
- Manual execution by a user
  - msedge.exe (PID: 1216)
  - cmd.exe (PID: 6464)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 1216)
- Checks supported languages
  - TextInputHost.exe (PID: 5656)
  - identity_helper.exe (PID: 7900)
  - msiexec.exe (PID: 5244)
  - python-3.12.5-amd64.exe (PID: 8000)
  - python-3.12.5-amd64.exe (PID: 8100)
- Reads the computer name
  - TextInputHost.exe (PID: 5656)
  - identity_helper.exe (PID: 7900)
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Reads Environment values
  - identity_helper.exe (PID: 7900)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 1216)
  - msedge.exe (PID: 6420)
  - msiexec.exe (PID: 5244)
- Application launched itself
  - msedge.exe (PID: 1216)
- The process uses the downloaded file
  - msedge.exe (PID: 7564)
  - msedge.exe (PID: 1216)
- Creates files or folders in the user directory
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Reads the machine GUID from the registry
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Create files in a temporary directory
  - python-3.12.5-amd64.exe (PID: 8000)
  - python-3.12.5-amd64.exe (PID: 8100)
- Creates a software uninstall entry
  - msiexec.exe (PID: 5244)
- Reads the software policy settings
  - msiexec.exe (PID: 5244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:08:09 11:39:08
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	ibd2sql-main/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

173

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

532

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1140

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7212 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1184

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3492 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1216

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1452

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7024 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1716

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=6116 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1860

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4076 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2228

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

5104

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=6264 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5144

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1520 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

37 154

Read events

36 567

Write events

561

Delete events

Modification events


(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\ibd2sql-main.zip
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(1216) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

Add for printing

Executable files

Suspicious files

416

Text files

252

Unknown types

Dropped files

PID	Process	Filename		Type
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\ibd2sql.py		text
		MD5:3B5F8632E03F3701F77BEC48AE921105	SHA256:1D2BB836740FD5690A13CEFDF5441A187A9BAF15A7BCC0F471EEBF96B98F4256
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\blob.py		text
		MD5:03AC9994C2EEBE3639AA5148FA01B670	SHA256:B5EABD369E5174C42E91D9EB5FBF9EE767CFB58A71583D2C00C51C8BEB75BAE7
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page.py		text
		MD5:827452A083ECDAB996FA93AB7435761C	SHA256:72C84F3806362FAAF52C318F711E9B78608734F2BB0743012732502B9644EA0C
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page_ibuf.py		text
		MD5:E29D2F32F61577875912EFF50DB83BC9	SHA256:E95160BF554E917C9A89CDDC2F5D82CDAE124337107B58ED897A12DD61A5B15F
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\docs\CHANGELOG.md		text
		MD5:BF12F5A9106D1D10546E79B2119CB0A6	SHA256:DC5A413CA4C3243E3975F3EB212771C7E0A184BC72EA9BE2B418A66B63380AAF
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\LICENSE		text
		MD5:1EBBD3E34237AF26DA5DC08A4E440464	SHA256:3972DC9744F6499F0F9B2DBF76696F2AE7AD8AF9B23DDE66D6AF86C9DFB36986
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\docs\USAGE.md		text
		MD5:57A12EF53546E1816CDF2CACFAAE0339	SHA256:CA6AAB41065EAA31CD9A44D86487AAE989B1F8AADEEBA2679B23C2C3537B1480
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\README_zh.md		text
		MD5:65A1B5BA7C32A85B418251D2F6A5E7A9	SHA256:A2B3C3E9DF4592FB92A0643D92A04346F81A9EDF975F92B7CF98100F87EB3F01
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\__init__.py		text
		MD5:8AB30A8A541A0F2852FF28F1299FDBF1	SHA256:75FF06C51CD5EC972DC4342F20D694C6ABE856E4BCF6E4006A5E3EDCAADDA7C0
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\docs\INSTANT.md		text
		MD5:EB351FA94BA18D2765B11F58E020444A	SHA256:ADB95DB526BFF0936136C72A30D7D673645EB09769A836D8C3F9B1301DF51B0D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

137

DNS requests

143

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6692	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
6588	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6420	msedge.exe	GET	304	2.16.241.15:80	http://apps.identrust.com/roots/dstrootcax3.p7c	unknown	—	—	whitelisted
6420	msedge.exe	GET	304	2.23.197.184:80	http://x1.i.lencr.org/	unknown	—	—	whitelisted
6420	msedge.exe	GET	304	2.23.197.184:80	http://r3.i.lencr.org/	unknown	—	—	whitelisted
1216	msedge.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3164	svchost.exe	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5060	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6692	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6692	backgroundTaskHost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	20.190.159.4 40.126.31.67 20.190.159.2 20.190.159.64 20.190.159.0 40.126.31.69 40.126.31.71 20.190.159.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
arc.msn.com	20.223.35.26	whitelisted
www.bing.com	2.23.209.182 2.23.209.150 2.23.209.158 2.23.209.149 2.23.209.177 2.23.209.176 2.23.209.187 2.23.209.179 2.23.209.185 2.23.209.173 2.23.209.175 2.23.209.143 2.23.209.160 2.23.209.141 2.23.209.156	whitelisted
r.bing.com	2.23.209.141 2.23.209.158 2.23.209.156 2.23.209.149 2.23.209.150 2.23.209.160 2.23.209.175 2.23.209.173 2.23.209.143 2.23.209.179 2.23.209.182 2.23.209.177 2.23.209.176	whitelisted
th.bing.com	2.23.209.135 2.23.209.140 2.23.209.150 2.23.209.133 2.23.209.130 2.23.209.149 2.23.209.141 2.23.209.158 2.23.209.176	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.26	whitelisted

Threats

PID	Process	Class	Message
6420	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
6420	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
6420	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
6420	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
6420	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6420	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6420	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
6420	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)

Add for printing

No debug info

General Info

ibd2sql-main.zip

75CB4CD94AEAA270E4F05A2EB55210D8

D382E74DBD99FE131E16AA31A962BDD8096CF0B3

D320279923973B7700E7A5306ABA163D8E0FDC6FAF89ED54202356EFF94D4CE9

1536:aIaM6NU3RbI+ZxFro4givOTwCn/46OUlFDjXSFaXgIuBlj2C/P:aIaTf+HFr1g+OEA5OuXXSoMBlj2eP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Searches for installed software

Creates a software uninstall entry

The process drops C-runtime libraries

Process drops legitimate windows executable

Drops the executable file immediately after the start

Reads the Windows owner or organization settings

Checks Windows Trust Settings

INFO

Manual execution by a user

Reads Microsoft Office registry keys

Checks supported languages

Reads the computer name

Reads Environment values

Executable content was dropped or overwritten

Application launched itself

The process uses the downloaded file

Creates files or folders in the user directory

Reads the machine GUID from the registry

Create files in a temporary directory

Creates a software uninstall entry

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings