File name:

SQLi Dumper V10.3.zip

Full analysis: https://app.any.run/tasks/5d6b687a-6717-4631-97ba-8c8fe5c49291
Verdict: Malicious activity
Analysis date: April 20, 2024, 03:12:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

E7841C492D87017888EAD72F8E21CC64

SHA1:

F00D94831B114767F4522A7884ADCFCB4A9D98AC

SHA256:

E5E082480D493D9D8F87BA60943F01D220E4F8F41B4AF71E8DD0E5BD8169809B

SSDEEP:

98304:b2DETBKgCs8VKX1jH7kaUeB7NjWoG6U7q593awl7kUvPXI0VvFeItwqdiaFr2zPP:fVUw9/eXGg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 1376)
      • dllhost.exe (PID: 980)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • SqliDumperv10.3.exe (PID: 3456)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1072)

    • Checks supported languages

      • SqliDumperv10.3.exe (PID: 3456)
      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3300)
      • SqliDumperv10.3.exe (PID: 2000)

    • Reads the computer name

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3456)
      • SqliDumperv10.3.exe (PID: 3300)
      • SqliDumperv10.3.exe (PID: 2000)

    • Creates files in the program directory

      • SqliDumperv10.3.exe (PID: 3456)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 1376)
      • dllhost.exe (PID: 980)

    • Manual execution by a user

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3300)

    • Checks transactions between databases Windows and Oracle

      • SqliDumperv10.3.exe (PID: 3300)
      • SqliDumperv10.3.exe (PID: 2548)

    • Reads the machine GUID from the registry

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3300)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:10:31 15:08:36
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: SQLi Dumper V10.3/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sqlidumperv10.3.exe no specs CMSTPLUA no specs sqlidumperv10.3.exe no specs sqlidumperv10.3.exe no specs CMSTPLUA no specs sqlidumperv10.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1072"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLi Dumper V10.3.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1376C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2000"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2548"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3300"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3456"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
4 672
Read events
4 631
Write events
41
Delete events
0

Modification events

(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1072) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SQLi Dumper V10.3.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
1
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\French.xmlxml
MD5:A46FDB87ECF4E654CAC6348C542A6D2C
SHA256:A4A5086AB9BFC8755F199B0F1C80F70EBF660768D031727BF71A624FBF99D2D9
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\Portuguese.xmlxml
MD5:E1B7540D846CA89F57DE64305B94DBC9
SHA256:F6CDC1E33C9F9637B56FDAAB6AD47C8E72E9F384A9CFC9C2B356825C62531DCB
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\ChilkatDotNet46.dllexecutable
MD5:C347B978DB64C5B0922FDB620A30A757
SHA256:FA3A167968BE8ADFD68B88BF303EFC8F71E895366BF9297679988549534A8895
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\Russian.xmlxml
MD5:4C3341A7BFC47F68E779A50F9E669900
SHA256:72515A8F2B7A29FC06E3A8FFD28D3D0DEA9E98D00CD9EB7B941703F7A3AFAB3E
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\Gotti_README.txttext
MD5:5031B63F625337CDF7E24263FC968C1B
SHA256:80B128E46CD957BA47DF83DC9DBBD68423DAE30BAAA7498CF52F1283E482F23B
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\English.xmlxml
MD5:E932EA4DD931CD9039EC0CEA098DDF85
SHA256:E4284B97BE769C04F1E49DD649F7116D364D72EAC74443A7CD2C46C13220D06B
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\German.xmlxml
MD5:4A25B19B26DEF334C719E8D543F23486
SHA256:97BB355062589C2C89E139E8174B71A15FBE89F10E2C72DE1489AD3B9B035B91
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\SqliDumperv10.3.exeexecutable
MD5:3D49478072BF18339EF810C8EA7546B2
SHA256:E3300E30997C5A355F02CA6972711B2CA843D00A393B62C75818A43C27FF128D
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\Settings.xmlxml
MD5:75A5096A8D55E17102DF4580D915D6EE
SHA256:84EF09FA32AA6C8E1171ED02EF98B2F3FCB64BDA620E74BCBC9B4B4969038457
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\Persian.xmlxml
MD5:6BDC041287825A04B67895BB9111806C
SHA256:B947F3E9558296EEAEE767FFBF1CE4270DEFF8DBA8BC57EF648E1E86A1D55FB3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SQLi Dumper V10.3.zip