File name:

SQLi Dumper V10.3.zip

Full analysis: https://app.any.run/tasks/5d6b687a-6717-4631-97ba-8c8fe5c49291
Verdict: Malicious activity
Analysis date: April 20, 2024, 03:12:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

E7841C492D87017888EAD72F8E21CC64

SHA1:

F00D94831B114767F4522A7884ADCFCB4A9D98AC

SHA256:

E5E082480D493D9D8F87BA60943F01D220E4F8F41B4AF71E8DD0E5BD8169809B

SSDEEP:

98304:b2DETBKgCs8VKX1jH7kaUeB7NjWoG6U7q593awl7kUvPXI0VvFeItwqdiaFr2zPP:fVUw9/eXGg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 1376)
      • dllhost.exe (PID: 980)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • SqliDumperv10.3.exe (PID: 3456)

  • INFO

    • Checks supported languages

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 2000)
      • SqliDumperv10.3.exe (PID: 3456)
      • SqliDumperv10.3.exe (PID: 3300)

    • Reads the computer name

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3456)
      • SqliDumperv10.3.exe (PID: 3300)
      • SqliDumperv10.3.exe (PID: 2000)

    • Checks transactions between databases Windows and Oracle

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3300)

    • Reads the machine GUID from the registry

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3300)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 1376)
      • dllhost.exe (PID: 980)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1072)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1072)

    • Creates files in the program directory

      • SqliDumperv10.3.exe (PID: 3456)

    • Manual execution by a user

      • SqliDumperv10.3.exe (PID: 2548)
      • SqliDumperv10.3.exe (PID: 3300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:10:31 15:08:36
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: SQLi Dumper V10.3/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sqlidumperv10.3.exe no specs CMSTPLUA no specs sqlidumperv10.3.exe no specs sqlidumperv10.3.exe no specs CMSTPLUA no specs sqlidumperv10.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1072"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLi Dumper V10.3.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1376C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2000"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2548"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3300"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3456"C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exe" C:\Users\admin\Desktop\SQLi Dumper V10.3\SqliDumperv10.3.exedllhost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sqli dumper v10.3\sqlidumperv10.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
4 672
Read events
4 631
Write events
41
Delete events
0

Modification events

(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1072) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SQLi Dumper V10.3.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
1
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\English.xmlxml
MD5:E932EA4DD931CD9039EC0CEA098DDF85
SHA256:E4284B97BE769C04F1E49DD649F7116D364D72EAC74443A7CD2C46C13220D06B
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\ChilkatDotNet46.dllexecutable
MD5:C347B978DB64C5B0922FDB620A30A757
SHA256:FA3A167968BE8ADFD68B88BF303EFC8F71E895366BF9297679988549534A8895
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\SqliDumperv10.3.exeexecutable
MD5:3D49478072BF18339EF810C8EA7546B2
SHA256:E3300E30997C5A355F02CA6972711B2CA843D00A393B62C75818A43C27FF128D
3456SqliDumperv10.3.exeC:\ProgramData\3R9qG8i3Z.icoimage
MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B
SHA256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438
3456SqliDumperv10.3.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.iniabr
MD5:5F54D1240735D46980B776AF554F44D3
SHA256:2C80619D7E7C58257293CDA3A878C13E5856F4E06F6F90601276F7B9179C9E07
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\German.xmlxml
MD5:4A25B19B26DEF334C719E8D543F23486
SHA256:97BB355062589C2C89E139E8174B71A15FBE89F10E2C72DE1489AD3B9B035B91
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\Russian.xmlxml
MD5:4C3341A7BFC47F68E779A50F9E669900
SHA256:72515A8F2B7A29FC06E3A8FFD28D3D0DEA9E98D00CD9EB7B941703F7A3AFAB3E
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\French.xmlxml
MD5:A46FDB87ECF4E654CAC6348C542A6D2C
SHA256:A4A5086AB9BFC8755F199B0F1C80F70EBF660768D031727BF71A624FBF99D2D9
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\LNG\Portuguese.xmlxml
MD5:E1B7540D846CA89F57DE64305B94DBC9
SHA256:F6CDC1E33C9F9637B56FDAAB6AD47C8E72E9F384A9CFC9C2B356825C62531DCB
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1072.8410\SQLi Dumper V10.3\SkinSoft.VisualStyler.dllexecutable
MD5:D93366374B57B5A0FE3A1A8A1CA95F78
SHA256:14F231441DAD16EF046AB97415C33195056A61B0240D7D890971E5F626068925
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SQLi Dumper V10.3.zip