msiql.exe

The application msiql.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘msiql’. While running, it connects to the Internet address ip-50-63-202-38.ip.secureserver.net on port 80 using the HTTP protocol.
Version:
1.0.1.30

MD5:
e786c8bcd8bfc51df0f5cc00237bd28e

SHA-1:
31c0dbaadce68602d87245d89e445312e8ebe828

SHA-256:
f94572bc188e3478af6eefa582526d15a71af4177f81c80a0abe71b32315bca5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
2/7/2017 6:10:30 AM UTC  (eleven months)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TopTools (M)
17.2.7.1

File size:
2.1 MB (2,177,536 bytes)

Product version:
1.0.1.30

Copyright:
Copyright (C) 2015

Original file name:
jkajskdfj

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\windows\temp\00005586\msiql.exe

File PE Metadata
Compilation timestamp:
11/19/2006 4:40:37 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x21AF62

Entry point:
85, FB, 78, 06, 8D, 15, FB, 99, F6, C5, 68, 82, 07, 0A, 00, 19, DB, 69, F3, 5F, 07, 12, A0, 78, 03, F6, C2, 59, F7, C5, 96, CA, 17, 54, 0F, AF, EA, F7, C5, F5, 43, 99, 5C, 0F, AF, EF, C6, C6, EF, B8, 98, 36, 17, DF, 85, F5, 68, 1F, 8F, 00, 00, F6, C2, 69, 5F, 0F, BF, D5, 89, C0, 81, C7, 9B, 05, 00, 00, 19, CD, FE, CE, 00, D7, 33, F7, 0F, BF, D8, 8D, 15, 76, CD, 41, AC, 0F, BE, D6, 8D, 15, EE, B6, 51, CF, C6, C0, 01, FF, C2, 2B, C1, 89, D0, 51, F2, 8D, 2D, 40, 46, D8, 0A, 88, E8, E8, 24, 00, 00, 00, F2, 09...
 
[+]

Entropy:
6.5191

Code size:
1.6 MB (1,626,112 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
msiql

Command:
C:\windows\temp\00005586\msiql.exe \running


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-50-63-202-38.ip.secureserver.net  (50.63.202.38:80)

TCP (HTTP):
Connects to cloud.sunserver.in  (162.144.52.241:80)

TCP (HTTP):
Connects to reverse-31-186-8-101.turkticaret.net  (31.186.8.101:80)

TCP (HTTP):
Connects to customer.sharktech.net  (104.160.178.242:80)

Remove msiql.exe - Powered by Reason Core Security