download:

Sqli_Dumper.rar

Full analysis: https://app.any.run/tasks/1369278a-872e-49f7-844c-0dfb35352da9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 06, 2018, 19:42:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

76743FA5F136E5991820A8D10BD07C97

SHA1:

156976110F13218CB03B20217804F7F50EB14716

SHA256:

64DF23E58C94EEDECA61C2198CAEAB17A33F3283EE60C02E2F4E8B1869C003ED

SSDEEP:

196608:qAb6sAmjZSm2XieXpXjXMRxs+xGIW8xIa+CF0tWXe5Wl2FuH6UZ29y1ZR44hvrse:pDAmdShySVLMRxxbW8xIeytWXeJsatYX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SQLi Dumper.exe (PID: 3124)

    • Dropped file may contain instructions of ransomware

      • SQLi Dumper.exe (PID: 3124)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2488)
      • SQLi Dumper.exe (PID: 3124)

  • SUSPICIOUS

    • Reads internet explorer settings

      • SQLi Dumper.exe (PID: 3124)

    • Executable content was dropped or overwritten

      • 7zFM.exe (PID: 3604)
      • SQLi Dumper.exe (PID: 3124)

    • Connects to unusual port

      • SQLi Dumper.exe (PID: 3124)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • 7zFM.exe (PID: 3604)
      • SQLi Dumper.exe (PID: 3124)

    • Dropped object may contain URL's

      • 7zFM.exe (PID: 3604)
      • SQLi Dumper.exe (PID: 3124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 110716
UncompressedSize: 741809
OperatingSystem: Win32
ModifyDate: 2017:10:28 10:50:08
PackingMethod: Normal
ArchivedFileName: Sql Dumper\c.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7zfm.exe sqli dumper.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2488"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3124"C:\Users\admin\Desktop\Sql Dumper\SQLi Dumper.exe" C:\Users\admin\Desktop\Sql Dumper\SQLi Dumper.exe
explorer.exe
User:
admin
Company:
c4rl0s@jabber.ru
Integrity Level:
MEDIUM
Description:
SQLi Dumper
Exit code:
0
Version:
8.3.0.0
Modules
Images
c:\users\admin\desktop\sql dumper\sqli dumper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3604"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\AppData\Local\Temp\Sqli_Dumper.rar"C:\Program Files\7-Zip\7zFM.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip File Manager
Exit code:
0
Version:
16.04
Modules
Images
c:\program files\7-zip\7zfm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
472
Read events
453
Write events
19
Delete events
0

Modification events

(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:FolderShortcuts
Value:
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:FolderHistory
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C00530071006C0069005F00440075006D007000650072002E007200610072005C000000
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:PanelPath0
Value:
C:\Users\admin\AppData\Local\Temp\
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:FlatViewArc0
Value:
0
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:PanelPath1
Value:
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:FlatViewArc1
Value:
0
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:ListMode
Value:
771
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:Position
Value:
1600000016000000D60300000B02000000000000
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM
Operation:writeName:Panels
Value:
0100000000000000DA010000
(PID) Process:(3604) 7zFM.exeKey:HKEY_CURRENT_USER\Software\7-Zip\FM\Columns
Operation:writeName:7-Zip.Rar
Value:
0100000004000000010000000400000001000000A00000000700000001000000640000000800000001000000640000000C00000001000000640000000A00000001000000640000000B00000001000000640000000900000001000000640000000F00000001000000640000000D00000001000000640000000E00000001000000640000001000000001000000640000001100000001000000640000001300000001000000640000001700000001000000640000001600000001000000640000002100000001000000640000001F0000000100000064000000200000000100000064000000
Executable files
9
Suspicious files
2
Text files
50
Unknown types
1

Dropped files

PID
Process
Filename
Type
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Result\Result(2.46.53 PM)\Dorks.txt
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Result\Result(2.47.20 PM)\Dorks.txt
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Result\Result(2.47.43 PM)\Dorks.txt
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Result\Result(7.31.01)\Dorks.txt
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Result\Result(8.00.08)\Dorks.txt
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Pars.txttext
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\c.txttext
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\Dorks VIP HQ Gaming [Gadget Channel].txttext
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Develop.exeexecutable
MD5:
SHA256:
36047zFM.exeC:\Users\admin\AppData\Local\Temp\7zE41EEB2FA\Sql Dumper\dorks\tdork\парсер дорок\Options.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
584
TCP/UDP connections
2 511
DNS requests
247
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3124
SQLi Dumper.exe
GET
504
52.214.130.163:80
http://search.excite.com/excite.y.3/search/web?fcoid=417&fcop=topnav&fpid=27&q=indexing+html
IE
whitelisted
3124
SQLi Dumper.exe
GET
504
52.214.130.163:80
http://search.excite.com/excite.y.3/search/web?fcoid=417&fcop=topnav&fpid=27&q=indexing+html
IE
whitelisted
3124
SQLi Dumper.exe
GET
302
37.187.174.101:80
http://downloads.uk.aluk.com/downloads.php?product_type=4'A=0
FR
unknown
3124
SQLi Dumper.exe
GET
302
148.253.251.167:80
http://www.korea.net/Government/Current-Affairs/National-Affairs?affairId=656
US
malicious
3124
SQLi Dumper.exe
GET
504
52.214.130.163:80
http://search.excite.com/excite.y.3/search/web?fcoid=417&fcop=topnav&fpid=27&q=indexing+html
IE
whitelisted
3124
SQLi Dumper.exe
GET
200
90.156.201.56:80
http://rcheliclub.ru/index.php?topic=8687.0
RU
html
11.6 Kb
malicious
3124
SQLi Dumper.exe
GET
200
2.16.186.66:80
http://www.wctv.tv/video?videoid=315
unknown
html
18.1 Kb
whitelisted
3124
SQLi Dumper.exe
GET
200
87.230.19.6:80
http://www.zeven-adressbuch.de/register.php?cmd=search&ort='0=A
DE
html
5.21 Kb
unknown
3124
SQLi Dumper.exe
GET
200
70.42.219.29:80
http://www.yext.com/pl/yahoo-claims/index.html?yh_source=srp_locallist_n
US
html
591 b
suspicious
3124
SQLi Dumper.exe
GET
302
199.0.184.165:80
http://choiceconcepts.coop/ProductDetails/?productId=550988078&tab=Tile&referrerPage=ProductResults&refPgId=513731720&referrerModule=PRDREB
US
html
273 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3124
SQLi Dumper.exe
199.64.234.27:443
customer.honeywell.com
Honeywell International, Inc.
US
unknown
3124
SQLi Dumper.exe
218.255.130.182:8882
WTT HK Limited
HK
unknown
3124
SQLi Dumper.exe
178.63.120.76:1080
Hetzner Online GmbH
DE
unknown
3124
SQLi Dumper.exe
97.74.230.244:39763
GoDaddy.com, LLC
US
unknown
3124
SQLi Dumper.exe
194.67.207.42:1080
MAROSNET Telecommunication Company LLC
RU
unknown
3124
SQLi Dumper.exe
185.162.235.215:1080
Serverius Holding B.V.
RU
unknown
3124
SQLi Dumper.exe
90.156.201.56:80
rcheliclub.ru
LLC masterhost
RU
suspicious
3124
SQLi Dumper.exe
70.42.219.29:80
www.yext.com
Internap Network Services Corporation
US
suspicious
3124
SQLi Dumper.exe
52.214.130.163:80
search.excite.com
Amazon.com, Inc.
IE
unknown
3124
SQLi Dumper.exe
203.99.231.171:80
www.bihaku-net.com
RELATION Co., Ltd.
JP
unknown

DNS requests

Domain
IP
Reputation
www.wctv.tv
  • 2.16.186.66
  • 2.16.186.90
whitelisted
www.amicis.com
  • 198.49.23.144
  • 198.185.159.145
  • 198.185.159.144
  • 198.49.23.145
malicious
marketplace.wisbar.org
  • 199.91.248.202
unknown
customer.honeywell.com
  • 199.64.234.27
unknown
www.zeven-adressbuch.de
  • 87.230.19.6
unknown
www.bihaku-net.com
  • 203.99.231.171
unknown
www.yucon-solutions.be
  • 185.115.219.154
unknown
downloads.uk.aluk.com
  • 37.187.174.101
unknown
rcheliclub.ru
  • 90.156.201.56
  • 90.156.201.84
  • 90.156.201.100
  • 90.156.201.48
malicious
search.excite.com
  • 52.214.130.163
  • 34.243.189.7
  • 52.48.68.19
unknown

Threats

PID
Process
Class
Message
3124
SQLi Dumper.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
3124
SQLi Dumper.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
3124
SQLi Dumper.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
3124
SQLi Dumper.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
3124
SQLi Dumper.exe
Potential Corporate Privacy Violation
ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sqli_Dumper.rar