File name:

_832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe

Full analysis: https://app.any.run/tasks/7eaef999-f1de-411d-b5ff-efa2e92418dc
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: January 30, 2026, 11:05:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
quasar
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7BC03CBE54172AAD2E9DD6FFB8C5DD1A

SHA1:

3900A5F59F4E6D9F9FCD79FE83C9C9D9796CC4C6

SHA256:

832F034DA54CD19AF56EBCCA7A58725FACABDEE54B35748ACC8CD9173288B35D

SSDEEP:

49152:uxwnJNU2fvwneV6v7pL5NB0Dkl27T5SQfi2/3Dg7rRtEhI/fsbWszqhLoGduaIHv:62fvseV6v7pLP2Dkl27T5SK3DgGWf+3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QUASAR has been detected (YARA)

      • _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe (PID: 6348)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Environment values

      • _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe (PID: 6348)

    • Checks supported languages

      • _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe (PID: 6348)

    • Reads the computer name

      • _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe (PID: 6348)

    • Reads the machine GUID from the registry

      • _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe (PID: 6348)

    • Checks proxy server information

      • slui.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(6348) _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe
C2 (20)zhidao.cn.com:4782
zhidao.cn.com:443
zhidao.cn.com:8080
zhidao.cn.com:8848
zhidao.cn.com:80
buyonlinepar.us.com:4782
buyonlinepar.us.com:443
buyonlinepar.us.com:8080
buyonlinepar.us.com:8848
buyonlinepar.us.com:80
dgstore24.ru.com:4782
dgstore24.ru.com:443
dgstore24.ru.com:8080
dgstore24.ru.com:8848
dgstore24.ru.com:80
s666vn.press:4782
s666vn.press:443
s666vn.press:8080
s666vn.press:8848
s666vn.press:80
Version1.4.1
Sub_DirVellaraNetwork
Install_NameVellaraNetworkDefender.exe
Mutex39e09baf-9d84-44cd-a6ed-d85bc4d28ed5
StartupVellara Network Defender Service
TagOffice04
LogDirLogs
SignatureYCHtrZhhM85ccHaVdSWc68KVIl2w4yLikQrzK0CdH9gNuISN/zgjfbs3eFkHHGeBv6xvRMePpga563PvITbSFTLEp+xSBSuesqV5xolW6ItHVCCGuCbrpQ8eAGbDeN4VtdiSIt4z/5S5JH5IzyDf0L2DzjlG8GpHJgSKes1nJtTUhOclz8JU0N9dngFYA4BgpfZvekuRhP2qgdjeIjEUjyKBZVJeuPkYnlz1xTqMbUPmOmPazEd6qFNjt8DIljwWus9NAq2NeG4FS89z3rpEhEJpX8/qnlQZT5sZzVVneDQY...
CertificateMIIE9DCCAtygAwIBAgIQAPtodfaESIOrSLRNpRfSGzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI2MDExODE0MzY0MVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhWkYPU6pUU6XhRhgCjRBlZu0qb6iCIzC02VeguGuGRLQhR8StVR0MtwFYq3H6QQ4GlM5uRDp...
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:12 16:16:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 3262976
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x31e85e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2033.12.52803.32492
ProductVersionNumber: 2033.12.52803.32492
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Vellara Security Labs (VSL)
FileDescription: Advanced network threat detection agent with deep packet inspection, encrypted traffic analytics, lateral movement blocking, and real-time alerting for enterprise hybrid and on-prem networks.
FileVersion: 2033.12.52803.32492
InternalName: VellaraNetworkDefender
LegalCopyright: Copyright © 2026-2033 Vellara Security Labs. All rights reserved.
LegalTrademarks: Vellara Network Defender™ and Defender Core™ are trademarks of VSL.
OriginalFileName: VellaraNetworkDefender
ProductName: VSL Vellara Network Defender
ProductVersion: 2033.12.52803.32492
AssemblyVersion: 2033.12.52803.32492
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QUASAR _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6348"C:\Users\admin\Desktop\_832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe" C:\Users\admin\Desktop\_832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe
explorer.exe
User:
admin
Company:
Vellara Security Labs (VSL)
Integrity Level:
MEDIUM
Description:
Advanced network threat detection agent with deep packet inspection, encrypted traffic analytics, lateral movement blocking, and real-time alerting for enterprise hybrid and on-prem networks.
Version:
2033.12.52803.32492
Modules
Images
c:\users\admin\desktop\_832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Quasar
(PID) Process(6348) _832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe
C2 (20)zhidao.cn.com:4782
zhidao.cn.com:443
zhidao.cn.com:8080
zhidao.cn.com:8848
zhidao.cn.com:80
buyonlinepar.us.com:4782
buyonlinepar.us.com:443
buyonlinepar.us.com:8080
buyonlinepar.us.com:8848
buyonlinepar.us.com:80
dgstore24.ru.com:4782
dgstore24.ru.com:443
dgstore24.ru.com:8080
dgstore24.ru.com:8848
dgstore24.ru.com:80
s666vn.press:4782
s666vn.press:443
s666vn.press:8080
s666vn.press:8848
s666vn.press:80
Version1.4.1
Sub_DirVellaraNetwork
Install_NameVellaraNetworkDefender.exe
Mutex39e09baf-9d84-44cd-a6ed-d85bc4d28ed5
StartupVellara Network Defender Service
TagOffice04
LogDirLogs
SignatureYCHtrZhhM85ccHaVdSWc68KVIl2w4yLikQrzK0CdH9gNuISN/zgjfbs3eFkHHGeBv6xvRMePpga563PvITbSFTLEp+xSBSuesqV5xolW6ItHVCCGuCbrpQ8eAGbDeN4VtdiSIt4z/5S5JH5IzyDf0L2DzjlG8GpHJgSKes1nJtTUhOclz8JU0N9dngFYA4BgpfZvekuRhP2qgdjeIjEUjyKBZVJeuPkYnlz1xTqMbUPmOmPazEd6qFNjt8DIljwWus9NAq2NeG4FS89z3rpEhEJpX8/qnlQZT5sZzVVneDQY...
CertificateMIIE9DCCAtygAwIBAgIQAPtodfaESIOrSLRNpRfSGzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI2MDExODE0MzY0MVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhWkYPU6pUU6XhRhgCjRBlZu0qb6iCIzC02VeguGuGRLQhR8StVR0MtwFYq3H6QQ4GlM5uRDp...
Total events
3 660
Read events
3 660
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
44
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3036
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3036
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
5512
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7736
RUXIMICS.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3036
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
356
svchost.exe
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
356
svchost.exe
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
3036
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
356
svchost.exe
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
3036
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5512
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
7736
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.206:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5512
svchost.exe
184.24.77.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7736
RUXIMICS.exe
184.24.77.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 52.182.143.215
  • 20.42.73.28
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.241.206
  • 2.16.241.207
  • 2.16.241.204
  • 2.16.241.196
  • 2.16.241.200
  • 2.16.241.205
  • 2.16.241.201
  • 2.16.241.208
  • 2.16.241.203
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.251.140.174
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.129
  • 40.126.31.1
  • 20.190.159.131
  • 20.190.159.23
  • 20.190.159.128
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.160.66
  • 20.190.160.4
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.130
  • 20.190.160.131
  • 20.190.160.65
  • 40.126.32.68
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.165.94.54
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_832f034da54cd19af56ebcca7a58725facabdee54b35748acc8cd9173288b35d.exe