discordrat | hxxps://github[.]com/ramer-py/aimmy/blob/main/aimmy%20roblox[.]exe

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ramer-py/aimmy/blob/main/aimmy%20roblox.exe

Score

10^/10

discordrat discovery persistence phishing rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMzA0MDkwNzU2OTc5NTA4Mg.GnB-rf.nnDGsX-Z9pGJFRsY4NrmXiHZ4ytAvcb7urIy1g
server_id
1322790854867292273

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
phishing

Executes dropped EXE 3 IoCs

pid	Process
4920	aimmy roblox.exe
5088	aimmy roblox.exe
2968	aimmy roblox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
78	discord.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
75	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{AA9C514A-F2BF-4EC2-8588-A0632D51D505}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 615558.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
1576	msedge.exe
1576	msedge.exe
1944	msedge.exe
1944	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	3616	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3616	AUDIODG.EXE
Token: SeDebugPrivilege	4920	aimmy roblox.exe
Token: SeDebugPrivilege	5088	aimmy roblox.exe
Token: SeDebugPrivilege	2968	aimmy roblox.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe
1576	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 3292	1576	msedge.exe	83
PID 1576 wrote to memory of 3292	1576	msedge.exe	83
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 2144	1576	msedge.exe	84
PID 1576 wrote to memory of 4500	1576	msedge.exe	85
PID 1576 wrote to memory of 4500	1576	msedge.exe	85
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86
PID 1576 wrote to memory of 3780	1576	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ramer-py/aimmy/blob/main/aimmy%20roblox.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8568146f8,0x7ff856814708,0x7ff856814718
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17050420476640717381,7851653773785365526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3968

C:\Users\Admin\Downloads\aimmy roblox.exe
"C:\Users\Admin\Downloads\aimmy roblox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Users\Admin\Downloads\aimmy roblox.exe
"C:\Users\Admin\Downloads\aimmy roblox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\Downloads\aimmy roblox.exe
"C:\Users\Admin\Downloads\aimmy roblox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://discord.com/
1⤵
PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8568146f8,0x7ff856814708,0x7ff856814718
  2⤵
  PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5e9d00e335c00e6ccf422562a97a29bd

SHA1
66900c8f7d212aea17ccefcbfdda96986a63f3f9

SHA256
853210ce08bc83d19721dd4a7fa60c7f3accb5ef5135a7ebad54c2102515038a

SHA512
a7611a60837355b015fb5a5d3ddecdeec1d9f7187ee73c6b2b0643bdb4391ae66bfa73566a0baccba9204124ad1b8c01ec511bda7b445bb854039896ce512647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6ae4287664c9d7bf1543c44198c9486a

SHA1
b059935857911ebc5cbf2a9487361a04b49b09f0

SHA256
15272f3984f60264967aa3d557fece9eb6cbf9de14c303098b1fc1d0e05f1bcd

SHA512
e0788838ebcb4c079c6ef4202dc799baf459f4e0fe3830cb6b11b4e67dcc78cd068d751ccd76f2717aeb839176a4097319af42dc38adad0ac98c57868cd19b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a8ef2291938facc8576cb577f8e18d2a

SHA1
f884ef2fb8077e1946d0958c6807010fce66e794

SHA256
33b136061eff8afd3869be5effc58d5de0fbd834297c4703f942f9070317482f

SHA512
67ee4e61a5b9494f5a53da891f6b7a46f792ebbf2bb31282a824d282b162c916e5ff7f52e45dac9aa4ae358a18a1fdb531798f6b71230793ce03c3be899a1e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a92ac6970e7d4bbf2e213210eb53a095

SHA1
858845d2a38098aa22502a25c57e722ac93d8254

SHA256
6b6ca990854762499498743da57e05ec4f294851ad4eb3e3fd85ae3e2d13ce87

SHA512
261280dccfac6e00d979c57b025abbbbc0fd096d9745049f5f3625edb7d050b46ef9d1862e54560a858a1050663e83e05cd8400c21f6d361630d679d3947af0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e650f7b201b4cd4e518a5fb3fd59b3b4

SHA1
c91e1644d7347ec6bf254b59db9bd91c2a674276

SHA256
a64e2496f90d24c3c67bf558fd1a33cc63f98a995990407d93dd20bfde17e5ad

SHA512
bddc7db9b47e61027b710b38d3b60402f1e653a5c3a4693b86bc13f43aa741161ce330caf3314cf4ff0a68468f2b2af131ff488fa6bdeeb88f16fd56f62887d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
541b964443bdcc4318671c55a873b8f5

SHA1
308bcabca08d32c4b0eb40e6c5d1c2b776d36bbd

SHA256
4827c27083084078a353aee99881e4c7854d05a17d2aef9d0d9273e2b3aca470

SHA512
023041969f6d45d87d6f21a2b675da859d27dab3de3961e0db1b36b292615006c82d41c725c886332ff6b294b4fba2caad8eb4e286c8f949e81593f4364e22a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1985c8f5fbdc23ab627c29ec93df505

SHA1
4c16dd38579ce2fa0f4e4ddb7126ab8af3c01214

SHA256
5f90ba20d430800888418116a541f63403c85deb176783ba07c5f24a49c792f9

SHA512
550eb80254aa58735a02231ab3e405b2a21139424cc537ed049648d259e3f285a3dc7a7081189780ba737ceba48627a8e1d9f747e9f8c82f2d8497ad7a77ab02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6c0d65a2fccf15249450b447472ec63

SHA1
73eec310fa0f7bc8c2d45ad479ee36dddf808fee

SHA256
9ae9f4ef5cf627434438244dc662f456b80b019c8c4a7388ab3dfb87152fce26

SHA512
a40e1f35999edd50bc07c06ed8a3ecbec9bb6eae9e1ec7b6244cbc3b4a2fc30829977be636b24b4401aef7aada8b5b37b46ff64764defdae97a7faa2e009e2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
663987ffd1c04acc91f1bba42ca16340

SHA1
0c285a45f0171ca21dbc7b49c5496a3faba34302

SHA256
91eacf4b1b4d0f12e881ac144f54f5ed0f5cb2c939d812812a5f88f7e43b4fba

SHA512
25e0fbfdde10b9b05bb7d4ec0796f06d8bbd999cd020fe4c5c82bd60386e6d354f261c24cf65bf5461ae78f6f8edf45a02aaf7bdc7b96ca8e0762ac861c18c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0b0cb9c17a5afb57deba43607acf1a8

SHA1
82a2e708d85fc0a4b308fe86c126d9c5ee64d20b

SHA256
ab2e37c448074a10360afbb2fc641f62a55cde69a3521605554c9b31cc8b9147

SHA512
b1c081d00996dde87c857716742d923f225a88d48105cf949cffc8dc3eee07214d1a80c2c90106139fee40b433e3cf5fbaba49d643c2135d42c4c116d557fc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69716d43faff3903aaad99c7dfab411e

SHA1
68d02e517eb6577620c77aa55c05173c2a4d8e1d

SHA256
27a32ba5fb4c45ff46eac7e7c6d025156f33e214644935a2573e0d90a7be78c9

SHA512
ad2bff45480a673348aa3dc579cbfd6db65f06eb296805d7e2507a87aad8d7be8d46a1dd51615ea4bf2944ea1f03385ac0e87bcfed3474587e4dfba8ec014173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3f5e08150d577c54bed4b690d4eb04cb

SHA1
02dda1063c6ab745b1bf24aac0f18a7b60f5d587

SHA256
f29f75ddd384f370e1c005d05c7077a860512846b24da041fa871576e8b5d44b

SHA512
a1545088531fbe4e6e0740457386a4a48b50c7af9d9a842289804411b8b5efc149302e18cb483ab194b0ce5ca051d7e435ac1277f28ce96b3fddcadf5ba0d183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d021e53d11926d02ce7cc53f848b915

SHA1
df1b389edd2123b43b138e0d8723099f8403d35e

SHA256
58627214dd1c0a032615a621c158b9e51b5a2e63e58d845d599d51a3d0ee2a7a

SHA512
5ae9dae3fcb0e7305363a2429cdc7ef9307857e2e6100b655d511d5d29bf7fc19d133dd6580ced7138b2497b8fb212f9606164f083effd01e4dcdc08da5653c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4afd094ccbc1f5067158229f2b9c640d

SHA1
fbc0fcfab0f6a8b2fa942fd8382b350dffac2fde

SHA256
e85dd446b76a4b28c7171c558b021b41b965e2db55dbbf8f5e8da3fd332b860e

SHA512
c8140eee2ef7670b0e4dc5704ff27fe3485602b6ccf9f05987f1254196673de6fda5c9d560ad83c6a23e27bfd15aa469987ebed6049086385e15d503443b767b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581865.TMP

Filesize
874B

MD5
74fba4c47ad925de947db3b5a3186873

SHA1
e4f411774addb406e79ae4e5779ed4dfa82847f8

SHA256
043ef13f11acebac8be461c7afd6e47ed1894269dcdfa193dcffbcc6a2abc51a

SHA512
472fc85b43141dc0f454c93cdc64effb637df17f289b76fa1ec06d2b2b51a18e57d8ac2d1838ad1b9c3f7f0ef4d867b2904107efff16e60807415e78c680c8f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f9798bee60d80d6faaa9db64ab6b57e

SHA1
bdb43f08ee211b611e696c4d061f810b45ed8fcc

SHA256
52882b30282d0f80397807bbf9b770a49a5ed832cd2056b6fed8d6c785d08d2a

SHA512
d17d0a0672850904c66ad85aa6a44948b77b48655411208fea0e2e2bc2e1f87dd3ad22c66a4ea5da704a292cef8aa596dceb38153b9747ae279c8a4ee7f45150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5103944e999bc90443d6af8c42135280

SHA1
81ffe734acddcd145bb762b175de4bf875b15aa4

SHA256
0c467fc4a5d6d6cac1e4809e09db012a52ca33c49fe68c00eb4a6e88a0c32321

SHA512
bb1ba47f594c8068176757767a7e290a04c3f2b539720467ee444aaa93bb804767444d2eec22a49c4c6ac024ae64ca5c0000053a9fb1d3118d14330a3d2c3a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f878a5b92932c10b7cb31445973342c9

SHA1
f5840b7769db54d18c72be5114f9bb9f77672c22

SHA256
8bf8a2fdc6ff980f5199d011a8cb643e77748a15f666526a72c8da288583c7da

SHA512
ec8a97d9d9f261925af9ec21f96636fb0ca781af0c5e584feb9972236adaa67626bc5200cb4ce9147910755b83b3a6567fd0db0aa644d707dbbc770722aff0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
188d37cfb90934f4b4006e9e1d8c8e90

SHA1
dd1b0f87625b55418918e1305125b88a8290c8ca

SHA256
9a9df799c608b3a34cb84be161a5b8324e77c30008d58faa776404d7596c698f

SHA512
997b8f90e7b4f18a05d23dc471592550c8bae131d8fe410f6ad09fb6d13d2d6979d17c5acf1108af811aa65f9b39d68759ef98f21f8f109b06641a4dce5ca709

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 615558.crdownload

Filesize
78KB

MD5
920856a47582dd23735d958a7a5e6ae8

SHA1
b027ea9404d2cbc7e1a5a38d57a1b787adcffcb9

SHA256
41d6fd398be2e8eaf3af39573180b8755fbc7326d6aa9277fa7e8089dbe257c7

SHA512
13bcac1322e36b8922ff01d8f28d99b7e2c47bdb75b8d458d8d86f8e7cbb1ec6b5fba7d99af2bf069cfd24934d7cd17dce374d31408abc80227263c027480ddf

Download Submit
memory/4920-503-0x000001C19D920000-0x000001C19DE48000-memory.dmp

Filesize
5.2MB

Download
memory/4920-502-0x000001C19D120000-0x000001C19D2E2000-memory.dmp

Filesize
1.8MB

Download
memory/4920-501-0x000001C182B30000-0x000001C182B48000-memory.dmp

Filesize
96KB

Download