File name:

68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe

Full analysis: https://app.any.run/tasks/295abfb9-f155-4ec8-86db-990446646623
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: January 14, 2025, 08:42:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
rat
quasar
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

948D8D109D5498949CB6DF8DDF011187

SHA1:

A34388517B5D91508739469CFCB99415A0AAEEB3

SHA256:

68FE78C0A8961DA3A1121F95EBE63003C9A7C359EDF68542D971D92632357422

SSDEEP:

98304:q5toCiXTixte3q9cG8dkCgwvebFuJNWNgNhf+AiXXBg0Wn4i3MprB/CPeLsAJ+Kk:hLWWrPkxX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)
      • Exccelworkbook.exe (PID: 6936)

    • QUASAR has been detected (YARA)

      • Exccelworkbook.exe (PID: 6936)

    • Connects to the CnC server

      • Exccelworkbook.exe (PID: 6936)

    • QUASAR has been detected (SURICATA)

      • Exccelworkbook.exe (PID: 6936)

  • SUSPICIOUS

    • Application launched itself

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6396)
      • Exccelworkbook.exe (PID: 6864)

    • Executable content was dropped or overwritten

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)

    • Starts itself from another location

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)

    • Contacting a server suspected of hosting an CnC

      • Exccelworkbook.exe (PID: 6936)

    • Connects to unusual port

      • Exccelworkbook.exe (PID: 6936)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2192)

  • INFO

    • Reads the computer name

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6396)
      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)
      • Exccelworkbook.exe (PID: 6864)
      • Exccelworkbook.exe (PID: 6936)

    • Checks supported languages

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6396)

    • Creates files or folders in the user directory

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)

    • Reads the machine GUID from the registry

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)
      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6396)
      • Exccelworkbook.exe (PID: 6936)

    • .NET Reactor protector has been detected

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6396)
      • Exccelworkbook.exe (PID: 6864)

    • The process uses the downloaded file

      • 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe (PID: 6808)
      • Exccelworkbook.exe (PID: 6936)

    • Reads the software policy settings

      • Exccelworkbook.exe (PID: 6936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(6936) Exccelworkbook.exe
Version1.4.1
C2 (6)twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Sub_DirSubDir
Install_NameExccelworkbook.exe
Mutex025351e291-5d1041-4fa37-932c7-869aeiQec514992
Startuppdfdocument
TagCODE
LogDirLogs
SignatureXBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1...
CertificateMIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3Vsd...
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:14 04:40:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 3784704
InitializedDataSize: 9728
UninitializedDataSize: -
EntryPoint: 0x39de7a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.9145.13810
ProductVersionNumber: 1.0.9145.13810
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Kyle Fiegener
FileDescription: Windows Forms doodads.
FileVersion: 1.0.9145.13810
InternalName: Wfdx.exe
LegalCopyright: Copyright 2010 Kyle Fiegener
LegalTrademarks: -
OriginalFileName: Wfdx.exe
ProductName: PsiComponents
ProductVersion: 1.0.9145.13810
AssemblyVersion: 1.0.9145.13810
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe no specs 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe no specs 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe exccelworkbook.exe no specs exccelworkbook.exe no specs #QUASAR exccelworkbook.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6396"C:\Users\admin\Desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe" C:\Users\admin\Desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exeexplorer.exe
User:
admin
Company:
Kyle Fiegener
Integrity Level:
MEDIUM
Description:
Windows Forms doodads.
Exit code:
0
Version:
1.0.9145.13810
Modules
Images
c:\users\admin\desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6800"C:\Users\admin\Desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"C:\Users\admin\Desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
User:
admin
Company:
Kyle Fiegener
Integrity Level:
MEDIUM
Description:
Windows Forms doodads.
Exit code:
4294967295
Version:
1.0.9145.13810
Modules
Images
c:\users\admin\desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6808"C:\Users\admin\Desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe"C:\Users\admin\Desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
User:
admin
Company:
Kyle Fiegener
Integrity Level:
MEDIUM
Description:
Windows Forms doodads.
Exit code:
3
Version:
1.0.9145.13810
Modules
Images
c:\users\admin\desktop\68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6864"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe
User:
admin
Company:
Kyle Fiegener
Integrity Level:
MEDIUM
Description:
Windows Forms doodads.
Exit code:
0
Version:
1.0.9145.13810
Modules
Images
c:\users\admin\appdata\roaming\subdir\exccelworkbook.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6928"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exeExccelworkbook.exe
User:
admin
Company:
Kyle Fiegener
Integrity Level:
MEDIUM
Description:
Windows Forms doodads.
Exit code:
4294967295
Version:
1.0.9145.13810
Modules
Images
c:\users\admin\appdata\roaming\subdir\exccelworkbook.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6936"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe
Exccelworkbook.exe
User:
admin
Company:
Kyle Fiegener
Integrity Level:
MEDIUM
Description:
Windows Forms doodads.
Version:
1.0.9145.13810
Modules
Images
c:\users\admin\appdata\roaming\subdir\exccelworkbook.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Quasar
(PID) Process(6936) Exccelworkbook.exe
Version1.4.1
C2 (6)twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Sub_DirSubDir
Install_NameExccelworkbook.exe
Mutex025351e291-5d1041-4fa37-932c7-869aeiQec514992
Startuppdfdocument
TagCODE
LogDirLogs
SignatureXBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1...
CertificateMIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3Vsd...
Total events
3 726
Read events
3 724
Write events
2
Delete events
0

Modification events

(PID) Process:(6808) 68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:pdfdocument
Value:
"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe"
(PID) Process:(6936) Exccelworkbook.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:pdfdocument
Value:
"C:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
680868fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exeC:\Users\admin\AppData\Roaming\SubDir\Exccelworkbook.exeexecutable
MD5:948D8D109D5498949CB6DF8DDF011187
SHA256:68FE78C0A8961DA3A1121F95EBE63003C9A7C359EDF68542D971D92632357422
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
8
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
1.01 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3296
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3296
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6936
Exccelworkbook.exe
94.156.177.117:9792
twart.myfirewall.org
Vivacom
BG
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
twart.myfirewall.org
  • 94.156.177.117
malicious
rency.ydns.eu
  • 94.156.177.117
malicious
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to DDNS Domain .myfirewall .org
6936
Exccelworkbook.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 15
6936
Exccelworkbook.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
68fe78c0a8961da3a1121f95ebe63003c9a7c359edf68542d971d92632357422.exe