Malware analysis ibd2sql-main.zip Malicious activity | ANY.RUN

Add for printing

File name:	ibd2sql-main.zip
Full analysis:	https://app.any.run/tasks/4309edba-3e43-4334-adb5-2ee551dbb2d5
Verdict:	Malicious activity
Analysis date:	August 18, 2024, 18:20:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	75CB4CD94AEAA270E4F05A2EB55210D8
SHA1:	D382E74DBD99FE131E16AA31A962BDD8096CF0B3
SHA256:	D320279923973B7700E7A5306ABA163D8E0FDC6FAF89ED54202356EFF94D4CE9
SSDEEP:	1536:aIaM6NU3RbI+ZxFro4givOTwCn/46OUlFDjXSFaXgIuBlj2C/P:aIaTf+HFr1g+OEA5OuXXSoMBlj2eP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - python-3.12.5-amd64.exe (PID: 8100)
SUSPICIOUS
- Drops the executable file immediately after the start
  - python-3.12.5-amd64.exe (PID: 8000)
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Executable content was dropped or overwritten
  - python-3.12.5-amd64.exe (PID: 8000)
  - python-3.12.5-amd64.exe (PID: 8100)
- Creates a software uninstall entry
  - python-3.12.5-amd64.exe (PID: 8100)
- Searches for installed software
  - python-3.12.5-amd64.exe (PID: 8100)
- The process drops C-runtime libraries
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Process drops legitimate windows executable
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 5244)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 5244)
INFO
- Checks supported languages
  - TextInputHost.exe (PID: 5656)
  - identity_helper.exe (PID: 7900)
  - python-3.12.5-amd64.exe (PID: 8100)
  - python-3.12.5-amd64.exe (PID: 8000)
  - msiexec.exe (PID: 5244)
- Reads the computer name
  - TextInputHost.exe (PID: 5656)
  - identity_helper.exe (PID: 7900)
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Manual execution by a user
  - cmd.exe (PID: 6464)
  - msedge.exe (PID: 1216)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 1216)
- Application launched itself
  - msedge.exe (PID: 1216)
- Reads Environment values
  - identity_helper.exe (PID: 7900)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 1216)
  - msedge.exe (PID: 6420)
  - msiexec.exe (PID: 5244)
- The process uses the downloaded file
  - msedge.exe (PID: 7564)
  - msedge.exe (PID: 1216)
- Create files in a temporary directory
  - python-3.12.5-amd64.exe (PID: 8000)
  - python-3.12.5-amd64.exe (PID: 8100)
- Creates files or folders in the user directory
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Reads the machine GUID from the registry
  - python-3.12.5-amd64.exe (PID: 8100)
  - msiexec.exe (PID: 5244)
- Reads the software policy settings
  - msiexec.exe (PID: 5244)
- Creates a software uninstall entry
  - msiexec.exe (PID: 5244)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:08:09 11:39:08
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	ibd2sql-main/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

173

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

532

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1140

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7212 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1184

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3492 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1216

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1452

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7024 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1716

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=6116 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1860

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4076 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2228

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

5104

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=6264 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5144

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1520 --field-trial-handle=2380,i,9887126371588821199,14262268722535835318,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

37 154

Read events

36 567

Write events

561

Delete events

Modification events


(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\ibd2sql-main.zip
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6864) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop
(PID) Process:	(1216) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

Add for printing

Executable files

Suspicious files

416

Text files

252

Unknown types

Dropped files

PID	Process	Filename		Type
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\ibd2sql.py		text
		MD5:3B5F8632E03F3701F77BEC48AE921105	SHA256:1D2BB836740FD5690A13CEFDF5441A187A9BAF15A7BCC0F471EEBF96B98F4256
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\COLLATIONS.py		text
		MD5:10354377058AAAB64B543CA3B538E8A4	SHA256:E65D215CB855501E4A7CE9753CBC1F465E83359C1AFD2EB909C4CDFF5B1424AE
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\blob.py		text
		MD5:03AC9994C2EEBE3639AA5148FA01B670	SHA256:B5EABD369E5174C42E91D9EB5FBF9EE767CFB58A71583D2C00C51C8BEB75BAE7
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page_inode.py		text
		MD5:85493AFCDC6AF8C91300410F5DBD4805	SHA256:7F08C464D269E6D48D4467D87B7EC4548D0E69686E5DD971F0A4880EBCA23D54
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page.py		text
		MD5:827452A083ECDAB996FA93AB7435761C	SHA256:72C84F3806362FAAF52C318F711E9B78608734F2BB0743012732502B9644EA0C
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page_expage.py		text
		MD5:B85000C12C9EB332CE159FA116A8AE63	SHA256:CD1076908214F1D9FAADB8F7A72BFF25D78155555AB3973ED9ABD252CC9B910B
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page_ibuf.py		text
		MD5:E29D2F32F61577875912EFF50DB83BC9	SHA256:E95160BF554E917C9A89CDDC2F5D82CDAE124337107B58ED897A12DD61A5B15F
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page_spaceORxdes.py		text
		MD5:6E5862A866791E41A70E2FA9306916DF	SHA256:D15F6FF7B53F4B9C6BD57F7FA986EF3684E5AEDD0759A8E33D1B13398E3867EB
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_page_sdi.py		text
		MD5:66F0F06A12525F82F6B3C259ABBEA967	SHA256:AB2A8D6BB53761AFCB625629D4E1A0E9B6A6E50FDB153C25ECFB6D458F189E61
6864	WinRAR.exe	C:\Users\admin\Desktop\ibd2sql-main\ibd2sql\innodb_type.py		text
		MD5:43D91CE1C20064910CC19C6900D99FDC	SHA256:FF0F0A31DD2F007C1F5B34311DAA758BC2206909943742BC44718A41243F7A77

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

137

DNS requests

143

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6692	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
6588	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6420	msedge.exe	GET	304	2.16.241.15:80	http://apps.identrust.com/roots/dstrootcax3.p7c	unknown	—	—	whitelisted
6420	msedge.exe	GET	304	2.23.197.184:80	http://x1.i.lencr.org/	unknown	—	—	whitelisted
6420	msedge.exe	GET	304	2.23.197.184:80	http://r3.i.lencr.org/	unknown	—	—	whitelisted
1216	msedge.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3164	svchost.exe	20.190.159.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5060	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6692	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6692	backgroundTaskHost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	20.190.159.4 40.126.31.67 20.190.159.2 20.190.159.64 20.190.159.0 40.126.31.69 40.126.31.71 20.190.159.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
arc.msn.com	20.223.35.26	whitelisted
www.bing.com	2.23.209.182 2.23.209.150 2.23.209.158 2.23.209.149 2.23.209.177 2.23.209.176 2.23.209.187 2.23.209.179 2.23.209.185 2.23.209.173 2.23.209.175 2.23.209.143 2.23.209.160 2.23.209.141 2.23.209.156	whitelisted
r.bing.com	2.23.209.141 2.23.209.158 2.23.209.156 2.23.209.149 2.23.209.150 2.23.209.160 2.23.209.175 2.23.209.173 2.23.209.143 2.23.209.179 2.23.209.182 2.23.209.177 2.23.209.176	whitelisted
th.bing.com	2.23.209.135 2.23.209.140 2.23.209.150 2.23.209.133 2.23.209.130 2.23.209.149 2.23.209.141 2.23.209.158 2.23.209.176	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.26	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .cc TLD
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
—	—	Potentially Bad Traffic	ET DNS Query for .cc TLD
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
—	—	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)

Add for printing

No debug info

General Info

ibd2sql-main.zip

75CB4CD94AEAA270E4F05A2EB55210D8

D382E74DBD99FE131E16AA31A962BDD8096CF0B3

D320279923973B7700E7A5306ABA163D8E0FDC6FAF89ED54202356EFF94D4CE9

1536:aIaM6NU3RbI+ZxFro4givOTwCn/46OUlFDjXSFaXgIuBlj2C/P:aIaTf+HFr1g+OEA5OuXXSoMBlj2eP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Creates a software uninstall entry

Searches for installed software

The process drops C-runtime libraries

Process drops legitimate windows executable

Checks Windows Trust Settings

Reads the Windows owner or organization settings

INFO

Checks supported languages

Reads the computer name

Manual execution by a user

Reads Microsoft Office registry keys

Application launched itself

Reads Environment values

Executable content was dropped or overwritten

The process uses the downloaded file

Create files in a temporary directory

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the software policy settings

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings