File name:

q.exe

Full analysis: https://app.any.run/tasks/49f4d955-ad2c-4086-a41a-d4cda4a6c831
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 19, 2025, 18:54:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

592E0B91B505D49FE633703DCBAA5FC7

SHA1:

EF245D8018B53242AB180FFC539C89F89AD446D8

SHA256:

87701762C242860A49C530C363F44FA75D6EDC0EB9D7E423891DDDC195FEA78B

SSDEEP:

98304:WMW+pffwDrXLq9YM6TXzsHHqPf8Ye9EC4il0n7dt+kFDwTAGNonDIGUeI/mF88cg:SvKC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • q.exe (PID: 1348)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5332)
      • powershell.exe (PID: 6652)

    • Adds path to the Windows Defender exclusion list

      • q.exe (PID: 1348)

    • Steals credentials from Web Browsers

      • 0000007a0029.exe (PID: 5428)

    • Actions looks like stealing of personal data

      • 0000007a0029.exe (PID: 5428)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • q.exe (PID: 720)

    • Reads the date of Windows installation

      • q.exe (PID: 720)

    • Application launched itself

      • q.exe (PID: 720)

    • Starts POWERSHELL.EXE for commands execution

      • q.exe (PID: 1348)
      • 0000007a0029.exe (PID: 5428)

    • Script adds exclusion path to Windows Defender

      • q.exe (PID: 1348)

    • The process bypasses the loading of PowerShell profile settings

      • q.exe (PID: 1348)

    • Executable content was dropped or overwritten

      • q.exe (PID: 1348)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Potential Corporate Privacy Violation

      • 0000007a0029.exe (PID: 5428)

    • Checks for external IP

      • 0000007a0029.exe (PID: 5428)

    • Connects to unusual port

      • 0000007a0029.exe (PID: 5428)

    • Loads DLL from Mozilla Firefox

      • 0000007a0029.exe (PID: 5428)

  • INFO

    • Checks supported languages

      • q.exe (PID: 720)
      • q.exe (PID: 1348)
      • 0000007a0029.exe (PID: 5428)

    • Reads the computer name

      • q.exe (PID: 720)
      • 0000007a0029.exe (PID: 5428)

    • Process checks computer location settings

      • q.exe (PID: 720)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5332)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5332)
      • powershell.exe (PID: 6652)

    • Reads the software policy settings

      • slui.exe (PID: 2108)
      • slui.exe (PID: 6436)

    • Create files in a temporary directory

      • 0000007a0029.exe (PID: 5428)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Creates files or folders in the user directory

      • 0000007a0029.exe (PID: 5428)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Checks proxy server information

      • slui.exe (PID: 6436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:26 20:33:53+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 132608
InitializedDataSize: 68096
UninitializedDataSize: -
EntryPoint: 0x4970
OSVersion: 6
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start q.exe no specs conhost.exe no specs q.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe slui.exe 0000007a0029.exe powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Users\admin\AppData\Local\Temp\q.exe" C:\Users\admin\AppData\Local\Temp\q.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\q.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1348"C:\Users\admin\AppData\Local\Temp\q.exe" "C:\Users\admin\AppData\Local\Temp\q.exe" C:\Users\admin\AppData\Local\Temp\q.exe
q.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\q.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2108"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4608C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5332powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\Documents\App'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeq.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
5428"C:\Users\admin\Documents\App\0000007a0029.exe"C:\Users\admin\Documents\App\0000007a0029.exe
q.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\documents\app\0000007a0029.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
11 954
Read events
11 954
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
33
Text files
8
Unknown types
3

Dropped files

PID
Process
Filename
Type
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\discord.txt
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\doD7q3c.db
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\bookmarks.txt
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\passwords.txt
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\YThdX0s.db
MD5:
SHA256:
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\Octalyn\autofill.txt
MD5:
SHA256:
5332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xqhfbaou.l5d.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5332powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:72B6D8E008FE741606AE43547D2ECB5D
SHA256:D60D10FACB72554EBF09E8273EC984B2541B27C0658E9890ECE011FCF072098A
5332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mvwtd1xv.oud.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
54280000007a0029.exeC:\Users\admin\AppData\Local\Temp\gAOmP7J.dbbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
25
DNS requests
19
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6132
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5428
0000007a0029.exe
GET
200
172.67.74.152:80
http://api.ipify.org/?format=text
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6132
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.167
  • 23.48.23.145
  • 23.48.23.139
  • 23.48.23.158
  • 23.48.23.150
  • 23.48.23.164
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.130
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.131
  • 20.190.159.71
  • 40.126.31.129
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
5428
0000007a0029.exe
Potential Corporate Privacy Violation
ET INFO External IP Lookup (ipify .org)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
5428
0000007a0029.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info