njrat | 7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewClient.exe
Size

141KB
MD5

a5e6869cc1b826c71ef68e6ab6196606
SHA1

0185672daadea373d19fa721ec644562eba3a82e
SHA256

7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845
SHA512

ba558d98bcaffc4d096d8238fdb5bd30deec836f5d650eec0bf205a3f3984ee770bff921f615aa937bc85bd0376f05076178b2cd774cf27dcedb6b133447564d
SSDEEP

3072:dUJ8T2SXZyrgoBJtbN/3MCK2kevEwl/6GJHSj7ZnC3Bx0Tcnsn+Mm4:R/JdSI5ebW+z0os+X4

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:10095

Mutex

discord.exe

Attributes

reg_key
discord.exe
splitter
|Ghost|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	NewClient.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	discord.exe

Executes dropped EXE 3 IoCs

pid	Process
3568	discord.exe
1776	discord.exe
1264	discord.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	0.tcp.eu.ngrok.io
41	0.tcp.eu.ngrok.io
53	0.tcp.eu.ngrok.io
68	0.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 30 IoCs

evasion

pid	Process
1144	taskkill.exe
3744	taskkill.exe
1248	taskkill.exe
5020	taskkill.exe
212	taskkill.exe
3320	taskkill.exe
3748	taskkill.exe
1156	taskkill.exe
4784	taskkill.exe
4796	taskkill.exe
412	taskkill.exe
3660	taskkill.exe
3956	taskkill.exe
2520	taskkill.exe
2684	taskkill.exe
1956	taskkill.exe
4084	taskkill.exe
3500	taskkill.exe
3080	taskkill.exe
2012	taskkill.exe
2816	taskkill.exe
5028	taskkill.exe
384	taskkill.exe
4344	taskkill.exe
1900	taskkill.exe
1736	taskkill.exe
3700	taskkill.exe
4020	taskkill.exe
1812	taskkill.exe
1344	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1552	schtasks.exe
2248	schtasks.exe
5068	schtasks.exe
1108	schtasks.exe
3716	schtasks.exe
2428	schtasks.exe
4040	schtasks.exe
5072	schtasks.exe
3564	schtasks.exe
2032	schtasks.exe
2288	schtasks.exe
5104	schtasks.exe
2612	schtasks.exe
4596	schtasks.exe
3152	schtasks.exe
3372	schtasks.exe
2944	schtasks.exe
1664	schtasks.exe
464	schtasks.exe
4896	schtasks.exe
2584	schtasks.exe
4828	schtasks.exe
2636	schtasks.exe
3692	schtasks.exe
4372	schtasks.exe
2964	schtasks.exe
3208	schtasks.exe
3244	schtasks.exe
4824	schtasks.exe
3476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe
3568	discord.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe
Token: 33	3568	discord.exe
Token: SeIncBasePriorityPrivilege	3568	discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 3568	2588	NewClient.exe	84
PID 2588 wrote to memory of 3568	2588	NewClient.exe	84
PID 2588 wrote to memory of 4584	2588	NewClient.exe	85
PID 2588 wrote to memory of 4584	2588	NewClient.exe	85
PID 4584 wrote to memory of 4984	4584	cmd.exe	87
PID 4584 wrote to memory of 4984	4584	cmd.exe	87
PID 3568 wrote to memory of 1156	3568	discord.exe	89
PID 3568 wrote to memory of 1156	3568	discord.exe	89
PID 3568 wrote to memory of 2028	3568	discord.exe	91
PID 3568 wrote to memory of 2028	3568	discord.exe	91
PID 3568 wrote to memory of 4040	3568	discord.exe	93
PID 3568 wrote to memory of 4040	3568	discord.exe	93
PID 3568 wrote to memory of 5020	3568	discord.exe	96
PID 3568 wrote to memory of 5020	3568	discord.exe	96
PID 3568 wrote to memory of 228	3568	discord.exe	98
PID 3568 wrote to memory of 228	3568	discord.exe	98
PID 3568 wrote to memory of 4824	3568	discord.exe	100
PID 3568 wrote to memory of 4824	3568	discord.exe	100
PID 3568 wrote to memory of 5028	3568	discord.exe	102
PID 3568 wrote to memory of 5028	3568	discord.exe	102
PID 3568 wrote to memory of 3592	3568	discord.exe	104
PID 3568 wrote to memory of 3592	3568	discord.exe	104
PID 3568 wrote to memory of 2584	3568	discord.exe	106
PID 3568 wrote to memory of 2584	3568	discord.exe	106
PID 3568 wrote to memory of 4784	3568	discord.exe	114
PID 3568 wrote to memory of 4784	3568	discord.exe	114
PID 3568 wrote to memory of 1296	3568	discord.exe	116
PID 3568 wrote to memory of 1296	3568	discord.exe	116
PID 3568 wrote to memory of 2288	3568	discord.exe	118
PID 3568 wrote to memory of 2288	3568	discord.exe	118
PID 3568 wrote to memory of 384	3568	discord.exe	124
PID 3568 wrote to memory of 384	3568	discord.exe	124
PID 3568 wrote to memory of 1752	3568	discord.exe	126
PID 3568 wrote to memory of 1752	3568	discord.exe	126
PID 3568 wrote to memory of 4828	3568	discord.exe	128
PID 3568 wrote to memory of 4828	3568	discord.exe	128
PID 3568 wrote to memory of 3956	3568	discord.exe	135
PID 3568 wrote to memory of 3956	3568	discord.exe	135
PID 3568 wrote to memory of 3256	3568	discord.exe	137
PID 3568 wrote to memory of 3256	3568	discord.exe	137
PID 3568 wrote to memory of 5068	3568	discord.exe	139
PID 3568 wrote to memory of 5068	3568	discord.exe	139
PID 3568 wrote to memory of 3500	3568	discord.exe	141
PID 3568 wrote to memory of 3500	3568	discord.exe	141
PID 3568 wrote to memory of 3584	3568	discord.exe	143
PID 3568 wrote to memory of 3584	3568	discord.exe	143
PID 3568 wrote to memory of 1108	3568	discord.exe	145
PID 3568 wrote to memory of 1108	3568	discord.exe	145
PID 3568 wrote to memory of 2520	3568	discord.exe	147
PID 3568 wrote to memory of 2520	3568	discord.exe	147
PID 3568 wrote to memory of 1612	3568	discord.exe	149
PID 3568 wrote to memory of 1612	3568	discord.exe	149
PID 3568 wrote to memory of 4372	3568	discord.exe	151
PID 3568 wrote to memory of 4372	3568	discord.exe	151
PID 3568 wrote to memory of 4020	3568	discord.exe	153
PID 3568 wrote to memory of 4020	3568	discord.exe	153
PID 3568 wrote to memory of 1480	3568	discord.exe	155
PID 3568 wrote to memory of 1480	3568	discord.exe	155
PID 3568 wrote to memory of 3372	3568	discord.exe	157
PID 3568 wrote to memory of 3372	3568	discord.exe	157
PID 3568 wrote to memory of 212	3568	discord.exe	159
PID 3568 wrote to memory of 212	3568	discord.exe	159
PID 3568 wrote to memory of 4484	3568	discord.exe	161
PID 3568 wrote to memory of 4484	3568	discord.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NewClient.exe
"C:\Users\Admin\AppData\Local\Temp\NewClient.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1156
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2028
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:5020
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:228
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4824
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:5028
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3592
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2584
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:4784
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1296
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2288
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:384
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1752
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4828
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3956
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3256
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5068
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3500
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3584
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1108
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2520
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1612
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4372
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:4020
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1480
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3372
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:212
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4484
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2636
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2684
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2292
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2964
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1144
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:5096
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:4796
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3184
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2944
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1812
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1424
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1664
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1956
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2320
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:464
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1344
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1048
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5104
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3080
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4036
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2612
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:4344
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1964
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3476
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3744
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3520
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3716
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:412
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2440
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4596
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:4084
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:5000
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5072
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1900
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4728
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2248
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2012
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4724
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3564
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3320
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3708
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2428
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3748
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4396
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2032
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1248
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:636
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3208
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1736
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4072
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3244
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2816
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:724
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3692
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3700
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2256
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3152
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3660
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1840
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\NewClient.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    PID:4984

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\AppData\Roaming\discord.exe
C:\Users\Admin\AppData\Roaming\discord.exe
1⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\discord.exe.log

Filesize
319B

MD5
26ca4897aad21f536806c5e7925976e7

SHA1
f072e5b6bfd7ce28dbb16f162d9a4e05690fcbd8

SHA256
1c5b33fb22baaa5f9f1400e86f650aa4694387cdfa4835d3f60bebf203a491fd

SHA512
0f16a7f7fb34550bd91f042b2005cdc4233ca3e4be650abb832ff2f253358d7aa5fde1de4e1d9fc9e6cf971f1ed343ae6b575988083d9c4e3c6af96bdfb5d5a1

Download Submit
C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
141KB

MD5
a5e6869cc1b826c71ef68e6ab6196606

SHA1
0185672daadea373d19fa721ec644562eba3a82e

SHA256
7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845

SHA512
ba558d98bcaffc4d096d8238fdb5bd30deec836f5d650eec0bf205a3f3984ee770bff921f615aa937bc85bd0376f05076178b2cd774cf27dcedb6b133447564d

Download Submit
memory/2588-3-0x0000000001A80000-0x0000000001AAE000-memory.dmp

Filesize
184KB

Download
memory/2588-0-0x00007FFA20D15000-0x00007FFA20D16000-memory.dmp

Filesize
4KB

Download
memory/2588-4-0x000000001CA20000-0x000000001CAC6000-memory.dmp

Filesize
664KB

Download
memory/2588-5-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/2588-2-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/2588-16-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/2588-1-0x000000001C4A0000-0x000000001C96E000-memory.dmp

Filesize
4.8MB

Download
memory/3568-15-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/3568-17-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/3568-18-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download
memory/3568-22-0x000000001C1D0000-0x000000001C26C000-memory.dmp

Filesize
624KB

Download
memory/3568-23-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/3568-24-0x00007FFA20A60000-0x00007FFA21401000-memory.dmp

Filesize
9.6MB

Download