File name:

RuntimeBroker1.exe

Full analysis: https://app.any.run/tasks/86c643c5-a603-4c3d-8f25-8bb6197f6494
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 20:42:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
quasar
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

D285698235DEA8AE7E088919FEEDEF11

SHA1:

C584AB38BBE377C84AC5D817B0820C6C84C629CA

SHA256:

C413D08829F1DA9E20E13C2E9BE797CF8447F1041F52C48F12124AD615EA3E8E

SSDEEP:

3072:EtdHLuN/Mn5B5tKPeNWPLhKvbOM9MGNCvVcdSgkMNU6PjhN+2Q821kAnsob3TzmH:Edds9a+6Pji821kYbDRFg1J9jFt80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QUASAR mutex has been found

      • RuntimeBroker1.exe (PID: 6652)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • RuntimeBroker1.exe (PID: 6652)

  • INFO

    • Reads the computer name

      • RuntimeBroker1.exe (PID: 6652)

    • Checks supported languages

      • RuntimeBroker1.exe (PID: 6652)

    • Disables trace logs

      • RuntimeBroker1.exe (PID: 6652)

    • Reads the software policy settings

      • RuntimeBroker1.exe (PID: 6652)

    • Checks proxy server information

      • RuntimeBroker1.exe (PID: 6652)

    • Reads the machine GUID from the registry

      • RuntimeBroker1.exe (PID: 6652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:07 15:10:02+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 270336
InitializedDataSize: 3072
UninitializedDataSize: -
EntryPoint: 0x43fde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.2.0.0
InternalName: Client.exe
LegalCopyright:
OriginalFileName: Client.exe
ProductVersion: 1.2.0.0
AssemblyVersion: 1.2.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QUASAR runtimebroker1.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6652"C:\Users\admin\AppData\Local\Temp\RuntimeBroker1.exe" C:\Users\admin\AppData\Local\Temp\RuntimeBroker1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\runtimebroker1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
1 241
Read events
1 227
Write events
14
Delete events
0

Modification events

(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6652) RuntimeBroker1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RuntimeBroker1_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
13
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6652
RuntimeBroker1.exe
GET
301
88.198.193.213:80
http://telize.com/geoip
unknown
malicious
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6652
RuntimeBroker1.exe
GET
200
172.67.74.152:80
http://api.ipify.org/
unknown
malicious
2464
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6652
RuntimeBroker1.exe
GET
200
3.33.130.190:80
http://freegeoip.net/xml/
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6356
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6652
RuntimeBroker1.exe
88.198.193.213:80
telize.com
Hetzner Online GmbH
DE
malicious
6652
RuntimeBroker1.exe
88.198.193.213:443
telize.com
Hetzner Online GmbH
DE
malicious
6652
RuntimeBroker1.exe
3.33.130.190:80
freegeoip.net
AMAZON-02
US
shared
6652
RuntimeBroker1.exe
172.67.74.152:80
api.ipify.org
CLOUDFLARENET
US
shared
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
telize.com
  • 88.198.193.213
malicious
www.telize.com
  • 88.198.193.213
malicious
freegeoip.net
  • 3.33.130.190
  • 15.197.148.33
shared
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
shared
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.67
  • 20.190.159.129
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.130
  • 40.126.31.69
  • 20.190.159.4
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6652
RuntimeBroker1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
6652
RuntimeBroker1.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
6652
RuntimeBroker1.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RuntimeBroker1.exe