| File name: | SQL.exe |
| Full analysis: | https://app.any.run/tasks/01d200bf-9167-4f1e-8c17-c698121fd423 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | April 11, 2025, 18:28:22 |
| OS: | Windows 11 Professional (build: 22000, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | EF0E5882C8BCAD3643D51D16C2F5500C |
| SHA1: | 6EC8E8996BB693056D2EBCFC18F517D3EC4CA82D |
| SHA256: | B869941A9C476585BBB8F48F7003D158C71E44038CEB2628CEDB231493847775 |
| SSDEEP: | 98304:leM1KWA7xnP1AAAGMeWPaWiXqC+vn6zLBWFffGP/+lgwSwaU1S+cHWb+VVfeo2ia:/5iZy |
MALICIOUS
Actions looks like stealing of personal data
- pingsender.exe (PID: 4200)
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 2336)
Connects to the CnC server
- SQL.exe (PID: 5604)
SUSPICIOUS
Checks for external IP
- svchost.exe (PID: 1664)
- SQL.exe (PID: 5604)
Connects to unusual port
- SQL.exe (PID: 5604)
Loads DLL from Mozilla Firefox
- pingsender.exe (PID: 2336)
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 4200)
Reads the Internet Settings
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 2336)
- pingsender.exe (PID: 4200)
Reads security settings of Internet Explorer
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 4200)
- pingsender.exe (PID: 2336)
Reads settings of System Certificates
- pingsender.exe (PID: 4200)
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 2336)
INFO
Checks transactions between databases Windows and Oracle
- SQL.exe (PID: 5740)
Reads the machine GUID from the registry
- SQL.exe (PID: 5740)
- SQL.exe (PID: 5604)
- pingsender.exe (PID: 4200)
- pingsender.exe (PID: 2336)
- pingsender.exe (PID: 3808)
Checks supported languages
- SQL.exe (PID: 5740)
- SQL.exe (PID: 5604)
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 4200)
- pingsender.exe (PID: 2336)
Reads security settings of Internet Explorer
- dllhost.exe (PID: 716)
Reads the computer name
- SQL.exe (PID: 5740)
- SQL.exe (PID: 5604)
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 2336)
- pingsender.exe (PID: 4200)
Reads product name
- SQL.exe (PID: 5604)
Application launched itself
- firefox.exe (PID: 5936)
- firefox.exe (PID: 5812)
Reads Environment values
- SQL.exe (PID: 5604)
Manual execution by a user
- firefox.exe (PID: 5812)
Checks proxy server information
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 2336)
- pingsender.exe (PID: 4200)
Reads the software policy settings
- pingsender.exe (PID: 4200)
- pingsender.exe (PID: 3808)
- pingsender.exe (PID: 2336)
Creates files or folders in the user directory
- pingsender.exe (PID: 4200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:04:01 15:49:17+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.42 |
| CodeSize: | 8591872 |
| InitializedDataSize: | 3158528 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7b4934 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
119
Monitored processes
17
Malicious processes
6
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 716 | C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1436 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | pingsender.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1664 | C:\Windows\system32\svchost.exe -k NetworkService -p | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1876 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 25978 -prefMapSize 243239 -jsInitHandle 1432 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02990c0f-98e2-480f-8c32-23d4fd815dcd} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 247deea6bd0 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
| 2276 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2336 | "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/f89ccb01-32d6-4a92-ae3d-602f257c49dd/health/Firefox/123.0/release/20240213221259?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\saved-telemetry-pings\f89ccb01-32d6-4a92-ae3d-602f257c49dd | C:\Program Files\Mozilla Firefox\pingsender.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Foundation Integrity Level: MEDIUM Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
| 2424 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2104 -parentBuildID 20240213221259 -prefsHandle 2096 -prefMapHandle 2084 -prefsLen 25692 -prefMapSize 243239 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc051dd8-06d2-4cb6-8069-232b9885ebac} 5936 "\\.\pipe\gecko-crash-server-pipe.5936" 247cb982310 socket | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
| 2708 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | pingsender.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3796 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | pingsender.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3808 | "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/8cb89066-871c-4312-ab82-4a0cac332605/event/Firefox/123.0/release/20240213221259?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\saved-telemetry-pings\8cb89066-871c-4312-ab82-4a0cac332605 | C:\Program Files\Mozilla Firefox\pingsender.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Foundation Integrity Level: MEDIUM Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
Total events
13 513
Read events
13 447
Write events
64
Delete events
2
Modification events
| (PID) Process: | (2276) dllhost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\4c\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\cmlua.dll,-100 |
Value: Connection Manager | |||
| (PID) Process: | (2276) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration |
| Operation: | write | Name: | DisplayCalibrator |
Value: C:\Users\admin\Desktop\SQL.exe | |||
| (PID) Process: | (2276) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration |
| Operation: | delete value | Name: | DisplayCalibrator |
Value: C:\Users\admin\Desktop\SQL.exe | |||
| (PID) Process: | (716) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (716) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (716) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (716) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (5812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: B1B928BD01000000 | |||
| (PID) Process: | (5936) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 749E29BD01000000 | |||
| (PID) Process: | (5936) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Progress |
Value: 0 | |||
Executable files
1
Suspicious files
284
Text files
24
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5936 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\8o2qovza.default-release\startupCache\startupCache.8.little | — | |
MD5:— | SHA256:— | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\prefs-1.js | text | |
MD5:06E512DE01367BACB953FA1E6CFEF38B | SHA256:21F4B29977D63802001DD3C09117AAD6A36C1B306827C688DC614650C3E0FDEE | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\prefs.js | text | |
MD5:06E512DE01367BACB953FA1E6CFEF38B | SHA256:21F4B29977D63802001DD3C09117AAD6A36C1B306827C688DC614650C3E0FDEE | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 5936 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\8o2qovza.default-release\compatibility.ini | text | |
MD5:1A1E16B0EA4ADE805E22DAE4B6A83476 | SHA256:5D8CCAE985792AB2D40F72335CD2B149F04C451F61C0FA37CBE4DC97C9918645 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
49
DNS requests
49
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
744 | lsass.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff515754a91c53da | unknown | — | — | whitelisted |
1396 | smartscreen.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | whitelisted |
744 | lsass.exe | GET | 200 | 216.58.206.67:80 | http://c.pki.goog/r/r4.crl | unknown | — | — | whitelisted |
744 | lsass.exe | GET | 200 | 216.58.206.67:80 | http://c.pki.goog/r/gsr1.crl | unknown | — | — | whitelisted |
5604 | SQL.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/98.150.107.108 | unknown | — | — | whitelisted |
1396 | smartscreen.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11c3e380666ddbd7 | unknown | — | — | whitelisted |
1352 | svchost.exe | GET | 200 | 2.18.64.200:80 | http://www.msftconnecttest.com/connecttest.txt | unknown | — | — | whitelisted |
2988 | OfficeClickToRun.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
5936 | firefox.exe | POST | 200 | 2.16.202.121:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5d698932ccffdd8a | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1396 | smartscreen.exe | 20.93.72.182:443 | checkappexec.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5604 | SQL.exe | 45.227.252.199:7712 | — | — | AR | unknown |
5604 | SQL.exe | 104.26.12.205:443 | api.ipify.org | CLOUDFLARENET | US | shared |
1396 | smartscreen.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
744 | lsass.exe | 199.232.214.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
1352 | svchost.exe | 2.18.64.200:80 | — | Administracion Nacional de Telecomunicaciones | UY | unknown |
1396 | smartscreen.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
744 | lsass.exe | 216.58.206.67:80 | c.pki.goog | GOOGLE | US | whitelisted |
5336 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5604 | SQL.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
checkappexec.microsoft.com |
| whitelisted |
api.ipify.org |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
c.pki.goog |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ip-api.com |
| whitelisted |
login.live.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1664 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
5604 | SQL.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
1352 | svchost.exe | Misc activity | ET INFO Microsoft Connection Test |
1664 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
1664 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
5604 | SQL.exe | A Network Trojan was detected | ET MALWARE Aurotun Stealer CnC Checkin |
5604 | SQL.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ip-api.com |
1664 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
5604 | SQL.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
1664 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |