quasar | hxxps://workupload[.]com/file/37s32TPnyvX

Resubmissions

20/04/2025, 12:45

250420-pzjmksvyhv 3

20/04/2025, 12:35

250420-psjn1avxfv 10

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/37s32TPnyvX

Score

10^/10

quasar cscheat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.7.1

Botnet

CScheat

construction-fought.gl.at.ply.gg:50827

Mutex

9fff92a6-a5f6-4617-a024-6ec3d974dfd2

Attributes

encryption_key
F36FA1155B640D230516390AB2E231DE22A10EFC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000002431f-153.dat	family_quasar
behavioral1/memory/5252-155-0x0000000000060000-0x0000000000118000-memory.dmp	family_quasar

Executes dropped EXE 6 IoCs

pid	Process
5252	Loader.bat
5020	Loader.bat
1496	Loader.bat
900	Loader.bat
3744	Loader.bat
3284	Loader.bat

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133896261391288355"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
952	chrome.exe
952	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe
Token: SeShutdownPrivilege	116	chrome.exe
Token: SeCreatePagefilePrivilege	116	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
4384	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe
116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 6096	116	chrome.exe	85
PID 116 wrote to memory of 6096	116	chrome.exe	85
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 2400	116	chrome.exe	86
PID 116 wrote to memory of 6116	116	chrome.exe	87
PID 116 wrote to memory of 6116	116	chrome.exe	87
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88
PID 116 wrote to memory of 4272	116	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://workupload.com/file/37s32TPnyvX
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb149cdcf8,0x7ffb149cdd04,0x7ffb149cdd10
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4308 /prefetch:2
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5204,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5744,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5640,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3268,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4896,i,12829267326564035746,5862865379564640950,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16746:88:7zEvent31159
1⤵
- Suspicious use of FindShellTrayWindow
PID:4384

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fluent Client\Loader.bat
1⤵
PID:564

C:\Users\Admin\Downloads\Fluent Client\Loader.bat
"C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
- Executes dropped EXE
PID:5252

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fluent Client\logs.txt
1⤵
PID:4688

C:\Users\Admin\Downloads\Fluent Client\Loader.bat
"C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\Downloads\Fluent Client\Loader.bat
"C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\Downloads\Fluent Client\Loader.bat
"C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\Downloads\Fluent Client\Loader.bat
"C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:5564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
PID:3568

C:\Users\Admin\Downloads\Fluent Client\Loader.bat
"C:\Users\Admin\Downloads\Fluent Client\Loader.bat"
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Fluent Client\Loader.bat
1⤵
PID:5372

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
480689388789c38021b6d830fb2244c4

SHA1
8e841ae6870a65c8ebe5b41faec6cd6dc67ae328

SHA256
13f36a924832b233281e8d9112addf7cbe6d0beb81c77220301186e6e3e6d123

SHA512
941bc77aadffafe1f1dbce91f06ec7a90ebd6821c47e3fcda5444fb38bb7b0ad2e8117335bea9813cffbf10782b71498c03f372de1fb821c65a3a580f559d2a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
216B

MD5
bd080cae5d90ca3caa1c976229f617cf

SHA1
89c77750f30bc5dc617b68eea91fdce116123290

SHA256
21d187c5d7c876ce5cf4f6774190d916f226cc92f39797c5a17e98d76be5b860

SHA512
81451bf68db7ab291023d5cf22bb2eaae65264a06ca0ed11fb0282ba6d733566726072a000717f6c19f3f0c2b641a3ed323c77942a0d1baae24c6351f083b289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
37c2fe25980bef472a69c312119140a6

SHA1
73af406c0b7d07cfc506dc5775caf3dde2012c1b

SHA256
22b59b77ae5a1a12ca110bc4508ca05262b8cd7917d75d97c5457ba706129a24

SHA512
5aaeedcd796c1b65e4c12acb8e3b99c56d543e6c9f6cc0deb1536f8b0b1419b332bf64de49a21bacf99b54285373e2b47278a18bb43d9de5835491fb2c553c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
aba0a5b6702f0e191e1e212923a5d684

SHA1
68e2754a0d45d542ca78f9f4a1f478825777f2c0

SHA256
2bed58b77b56ed4ad864d056d917a528cbef0fda59a87cf67213d39bd7e001cc

SHA512
161806df21c6129083474d51c6d6cd5469e1988535127221cb69bbbd974c180bb72d254f2e42c8e0f766490ab10629654242f5de609a476a23ce534fca9b23e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
33861ed2f357c5ca3303d5383ab01655

SHA1
8ab9728123243dce19b90f6f6c8e9b31ec5b7e31

SHA256
a0b20f21af720b7b404d3c4ecbe3dd2ad058ae349f42b97aad9a44b3ac29a12b

SHA512
f54242ed5a3007e9bf8a0643e67fa1d4efcb8eb38ad6662f0c4421809fc6d378a4de4272430db8696ba69ae564b379b0f5cb6acc1ff4195852bcd9e901870d94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4d3d6b76146f0b7a273c75be30ea39c6

SHA1
a36b6c5a55a23fd888ed79898f85e68d83d0d257

SHA256
d837a6d13fad354fe8ffceae8b431714a148b35956c19773e3316cec5390f657

SHA512
91219e9dc9dffab8ff979b3dcacaaea24e28af6e6017c1600e223cbf679aba63bfac8bfa07a66aa42fec6ab9be0e38d0f7a89eca8209b4c4cfd44141d96066b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8f56e88e0fc5f0bd4c365a1910d1ea38

SHA1
013d4623acb133b5f08be4c2d6e50658b6eb8bef

SHA256
ce1a5f8ab88dc06fae06c518ee08abed39093d17d6ffd5b3b8f5edb2ef3b18e7

SHA512
92d3270d5d6dbaa897cb6396055884144e69121087db038d36ce9c105a6c87eb429b60dd335590ab71395c077c694034a9d928e57fb56e396465565bd4708599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
e05565a26e4083714bdd1bd8833e3ccd

SHA1
b014d777ae59ec0762e9b4b0c5ad25963cb14f3a

SHA256
1a57ca7f032d662028bdf6026bb33cb6f945dc56e15063bae7a0c307f0506b1c

SHA512
d714a9c624470f6f6421734026e1f097caa7a55fdc8ef3eb8597e83ca98bb80a3dc0d7918f93e6d8a4a63a8875316b55dc36a0cfad4c320b9bec9ae77cf6775a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c4c7.TMP

Filesize
48B

MD5
f16595e0ba6c9290bb1d63a719e0d29a

SHA1
ca057bdc82fb3e4ce82f2db756be46a6b49c66c3

SHA256
9d262583665e4b048e48691dd49470994a019fda9a5879012869b7c297e6fd73

SHA512
1c433d2e753d57eef290506f9ce93b67ea918b58ec96fccb42e21a24b1426067fcd40fad30c994f38dbcbea529ef46353458b9981d1fd2b29dd365eb381fc0b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
ca6349daec5957467b17d242f66611dc

SHA1
8624b175646d86549142a25ad0c54ddf1d210eda

SHA256
141b0b64f05f7436cc4f9fba0f4d5f610655398c205ff57ac573a0d626f3c75e

SHA512
0266147e781e0ad291acc84076d31b649aae813fb9ae460e8b067d0f324e007be1ef93c67200776e19ea749c205dc12b0a8211011e159de90eda73746499d62f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d1b19d1ac781d190b46d7dee629e65b5

SHA1
408f6317651400ba1773c2bc31dd677601a963ab

SHA256
54ab746c6829c706c97184ceac7f9b59610a1c4c57d9ac7f172bf10affd2c6d6

SHA512
41f44e8032bef952c30959baec3d1796b22cf6d3a7d3444792094e81df5888f5047ebe1fba58af4dc64b0c4674106154b145ccc67756b7ca5f2985aaf7e57557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
f255f1282a31ec11003cbeb2ae05fe8b

SHA1
c5156c3505ed18beab1d079feaadd0d8819fdd12

SHA256
400a1792273d295f5076d37c245d52a2d4b32d36e00b57e3e8027c1e02d853c2

SHA512
0db1ed1851be815c7fc27a6bde3261902fdeecfd5b25015de01f85f1c4695a222b98134003fe2dfbbcb16aa28080cfdcce2f32703d66cd43a8b8da2623816d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.bat.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\Downloads\Fluent Client.zip.crdownload

Filesize
325KB

MD5
c9d8b0cdb0856e319f627177b2877ad5

SHA1
949fd22367335aa6070147a560ea98619083eec8

SHA256
dd2eaa038141ddac44a5fe3f25bf7bcfd45042201c94ff4aa9f916efd3e8a3ab

SHA512
a8db0f5b185f0543f668dbf8595d3197ecef5afad2da49add69767d9a5a59be4552b6b1e702ae0a1601c75ec024afc7551b84bf83b2975b601cc262cfe5a1cf1

Download Submit
C:\Users\Admin\Downloads\Fluent Client\Loader.bat

Filesize
709KB

MD5
23b393db9583bd4d85a9f1d3975d8551

SHA1
c01bcbad52e8bcbaf25b09c2b4a4422c807e81fa

SHA256
60debe1a7f52de5a37180d961804f207c84077738536664a02bfad14ce46e6c0

SHA512
325161424b44b7c57f23a6bf1d599ab014af69c5413b78371ce00625578871801cf629cb19f6a1022127f41124c4b3b24ba578d6547c482ea6a129f0a5119728

Download Submit
C:\Users\Admin\Downloads\Fluent Client\logs.txt

Filesize
3B

MD5
8d5162ca104fa7e79fe80fd92bb657fb

SHA1
1184f5b8d4b6dd08709cf1513f26744167065e0d

SHA256
d0bca111f8628137adc4c16f123496dcdd1d590d06cb5d9acd68b39fe656fb97

SHA512
913ca2568dc2eff278bb6baeb4cdfeb6c9bf0e87e3d8bcb338c43913106a3eb4b91526b5e4d50629c1dc30999a4e98dbbcc0fc3156f42d51251528bf45c18161

Download Submit
memory/5252-155-0x0000000000060000-0x0000000000118000-memory.dmp

Filesize
736KB

Download
memory/5252-157-0x000000001AEB0000-0x000000001AF00000-memory.dmp

Filesize
320KB

Download
memory/5252-158-0x000000001AFC0000-0x000000001B072000-memory.dmp

Filesize
712KB

Download