File name:

payload.exe

Full analysis: https://app.any.run/tasks/3778b165-d07f-4b06-bee8-a39cecd370d1
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 05:20:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
quasar
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

2FE88D785A064EA415426F4C1DF182DC

SHA1:

2FA86EA67832A5DC4B101F49CFFC9836B84E2410

SHA256:

2F259D1DC041F7695464DF6B106A54A96A814D376D7CD30647049F934E1E2C00

SSDEEP:

6144:jZjpnf9HG0f9xddy44D8J3sQQjx4o8nbgol5v20qsQvEcU09:jltgpVx4o8Uon2oMEcUI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QUASAR mutex has been found

      • payload.exe (PID: 2972)

    • QUASAR has been detected (YARA)

      • payload.exe (PID: 2972)

  • SUSPICIOUS

    • Checks for external IP

      • payload.exe (PID: 2972)

    • Connects to unusual port

      • payload.exe (PID: 2972)

    • There is functionality for taking screenshot (YARA)

      • payload.exe (PID: 2972)

  • INFO

    • Disables trace logs

      • payload.exe (PID: 2972)

    • Reads the computer name

      • payload.exe (PID: 2972)

    • Reads Environment values

      • payload.exe (PID: 2972)

    • Checks supported languages

      • payload.exe (PID: 2972)

    • Checks proxy server information

      • payload.exe (PID: 2972)

    • Creates files or folders in the user directory

      • payload.exe (PID: 2972)

    • Reads the machine GUID from the registry

      • payload.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(2972) payload.exe
Version1.3.0.0
C2 (2)win2325.webredirect.org:5552
Sub_Dirup
Install_Nameupdate.exe
MutexQSR_MUTEX_EOUYwCNZvcVgWUvKae
Startupupdate
TagBuild1
LogDirLogsi
Signature
Certificate
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:26 01:18:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 352768
InitializedDataSize: 3072
UninitializedDataSize: -
EntryPoint: 0x581ae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.3.0.0
InternalName: Client.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: -
ProductVersion: 1.3.0.0
AssemblyVersion: 1.3.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QUASAR payload.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2972"C:\Users\admin\AppData\Local\Temp\payload.exe" C:\Users\admin\AppData\Local\Temp\payload.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\payload.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Quasar
(PID) Process(2972) payload.exe
Version1.3.0.0
C2 (2)win2325.webredirect.org:5552
Sub_Dirup
Install_Nameupdate.exe
MutexQSR_MUTEX_EOUYwCNZvcVgWUvKae
Startupupdate
TagBuild1
LogDirLogsi
Signature
Certificate
Total events
2 156
Read events
2 141
Write events
15
Delete events
0

Modification events

(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2972) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\payload_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2972payload.exeC:\Users\admin\AppData\Roaming\Logsi\08-01-2025binary
MD5:21ADBBC0B6023E2D5FD463407C53D326
SHA256:57136533DAFDBBA15891E60E9F4A6073774179A8CF5A8D07B052708CEB6057A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
payload.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5188
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5188
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4520
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5504
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2972
payload.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
2972
payload.exe
34.174.99.226:5552
win2325.webredirect.org
GOOGLE-CLOUD-PLATFORM
US
malicious
4
System
192.168.100.255:138
whitelisted
4520
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4520
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
win2325.webredirect.org
  • 34.174.99.226
malicious
login.live.com
  • 40.126.31.71
  • 20.190.159.131
  • 20.190.159.73
  • 20.190.159.129
  • 40.126.31.130
  • 40.126.31.131
  • 40.126.31.67
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
payload.exe