File name:

q.exe

Full analysis: https://app.any.run/tasks/49f4d955-ad2c-4086-a41a-d4cda4a6c831
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 19, 2025, 18:54:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

592E0B91B505D49FE633703DCBAA5FC7

SHA1:

EF245D8018B53242AB180FFC539C89F89AD446D8

SHA256:

87701762C242860A49C530C363F44FA75D6EDC0EB9D7E423891DDDC195FEA78B

SSDEEP:

98304:WMW+pffwDrXLq9YM6TXzsHHqPf8Ye9EC4il0n7dt+kFDwTAGNonDIGUeI/mF88cg:SvKC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5332)
      • powershell.exe (PID: 6652)

    • Changes Windows Defender settings

      • q.exe (PID: 1348)

    • Adds path to the Windows Defender exclusion list

      • q.exe (PID: 1348)

    • Actions looks like stealing of personal data

      • 0000007a0029.exe (PID: 5428)

    • Steals credentials from Web Browsers

      • 0000007a0029.exe (PID: 5428)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • q.exe (PID: 720)

    • Reads the date of Windows installation

      • q.exe (PID: 720)

    • Application launched itself

      • q.exe (PID: 720)

    • Starts POWERSHELL.EXE for commands execution

      • q.exe (PID: 1348)
      • 0000007a0029.exe (PID: 5428)

    • Script adds exclusion path to Windows Defender

      • q.exe (PID: 1348)

    • The process bypasses the loading of PowerShell profile settings

      • q.exe (PID: 1348)

    • Executable content was dropped or overwritten

      • q.exe (PID: 1348)

    • Loads DLL from Mozilla Firefox

      • 0000007a0029.exe (PID: 5428)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Potential Corporate Privacy Violation

      • 0000007a0029.exe (PID: 5428)

    • Checks for external IP

      • 0000007a0029.exe (PID: 5428)

    • Connects to unusual port

      • 0000007a0029.exe (PID: 5428)

  • INFO

    • Process checks computer location settings

      • q.exe (PID: 720)

    • Checks supported languages

      • q.exe (PID: 720)
      • q.exe (PID: 1348)
      • 0000007a0029.exe (PID: 5428)

    • Reads the computer name

      • q.exe (PID: 720)
      • 0000007a0029.exe (PID: 5428)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5332)
      • powershell.exe (PID: 6652)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5332)

    • Reads the software policy settings

      • slui.exe (PID: 2108)
      • slui.exe (PID: 6436)

    • Create files in a temporary directory

      • 0000007a0029.exe (PID: 5428)

    • Creates files or folders in the user directory

      • 0000007a0029.exe (PID: 5428)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Checks proxy server information

      • slui.exe (PID: 6436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:26 20:33:53+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 132608
InitializedDataSize: 68096
UninitializedDataSize: -
EntryPoint: 0x4970
OSVersion: 6
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start q.exe no specs conhost.exe no specs q.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe slui.exe 0000007a0029.exe powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Users\admin\AppData\Local\Temp\q.exe" C:\Users\admin\AppData\Local\Temp\q.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\q.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Users\admin\AppData\Local\Temp\q.exe" "C:\Users\admin\AppData\Local\Temp\q.exe" C:\Users\admin\AppData\Local\Temp\q.exe
q.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\q.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2108"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4608C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5332powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\Documents\App'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5428"C:\Users\admin\Documents\App\0000007a0029.exe"C:\Users\admin\Documents\App\0000007a0029.exe
q.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\documents\app\0000007a0029.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
11 954
Read events
11 954
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
33
Text files
8
Unknown types
3

Dropped files

PID
Process
Filename
Type
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\discord.txt
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\doD7q3c.db
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\bookmarks.txt
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\passwords.txt
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\YThdX0s.db
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\autofill.txt
MD5:
SHA256:
5332powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:72B6D8E008FE741606AE43547D2ECB5D
SHA256:D60D10FACB72554EBF09E8273EC984B2541B27C0658E9890ECE011FCF072098A
1348q.exeC:\Users\admin\Documents\App\0000007a0029.exeexecutable
MD5:E6F8650618944C7108FB7963DCF5C154
SHA256:1EE2878A2811E3B49D17E922B1B600A14E8FCAC47FE71EDFC3A47843161526B3
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\UabFzLG.dbsqlite
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\PcF5fza.dbbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
25
DNS requests
19
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6132
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5428
0000007a0029.exe
GET
200
172.67.74.152:80
http://api.ipify.org/?format=text
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6132
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.167
  • 23.48.23.145
  • 23.48.23.139
  • 23.48.23.158
  • 23.48.23.150
  • 23.48.23.164
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.130
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.131
  • 20.190.159.71
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
5428
0000007a0029.exe
Potential Corporate Privacy Violation
ET INFO External IP Lookup (ipify .org)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
5428
0000007a0029.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info