d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

General

Target

amix
Sample

190902-3ldbs4wjda
SHA256

d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Score

N/A

Malware Config

Signatures

Drops file in system dir 45 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

at	description	ioc	process
7488	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2b8-0\Microsoft.PowerShell.Commands.Utility.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll	mscorsvw.exe
7488	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux	mscorsvw.exe
7551	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2b8-0	mscorsvw.exe
9360	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\77c-0\Microsoft.PowerShell.ConsoleHost.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll	mscorsvw.exe
9360	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux	mscorsvw.exe
9407	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\77c-0	mscorsvw.exe
13104	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\784-0\Microsoft.PowerShell.Core.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll	mscorsvw.exe
13120	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux	mscorsvw.exe
13213	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\784-0	mscorsvw.exe
15054	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\654-0\Microsoft.PowerShell.Diagnostics.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll	mscorsvw.exe
15054	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux	mscorsvw.exe
15117	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\654-0	mscorsvw.exe
27815	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0\Microsoft.PowerShell.Editor.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll	mscorsvw.exe
27862	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux	mscorsvw.exe
28158	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0	mscorsvw.exe
36114	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5f4-0\Microsoft.PowerShell.GPowerShell.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll	mscorsvw.exe
36114	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux	mscorsvw.exe
36270	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5f4-0	mscorsvw.exe
39328	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\734-0\Microsoft.PowerShell.GraphicalHost.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll	mscorsvw.exe
39328	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux	mscorsvw.exe
39390	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\734-0	mscorsvw.exe
40202	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0\Microsoft.PowerShell.ISECommon.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll	mscorsvw.exe
40233	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux	mscorsvw.exe
40248	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5b8-0	mscorsvw.exe
44554	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bc-0\Microsoft.PowerShell.Management.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll	mscorsvw.exe
44570	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux	mscorsvw.exe
44632	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1bc-0	mscorsvw.exe
46629	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14c-0\Microsoft.PowerShell.ScheduledJob.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll	mscorsvw.exe
46644	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux	mscorsvw.exe
46691	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14c-0	mscorsvw.exe
47986	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2b8-0\Microsoft.PowerShell.Security.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll	mscorsvw.exe
48002	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux	mscorsvw.exe
48048	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2b8-0	mscorsvw.exe
49187	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\344-0\Microsoft.PowerShell.Security.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll	mscorsvw.exe
49203	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux	mscorsvw.exe
49218	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\344-0	mscorsvw.exe
53508	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\718-0\Microsoft.PowerShell.Utility.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll	mscorsvw.exe
53508	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux	mscorsvw.exe
53571	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\718-0	mscorsvw.exe
58391	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5f4-0\Microsoft.PowerShell.Workflow.ServiceCore.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll	mscorsvw.exe
58391	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux	mscorsvw.exe
58485	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5f4-0	mscorsvw.exe
60981	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7a4-0\Microsoft.Windows.DSC.CoreConfProviders.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll	mscorsvw.exe
60996	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux	mscorsvw.exe
61028	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7a4-0	mscorsvw.exe

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

amix.exe

at	description	ioc	process
20280	Set value (str)	\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1df32cde-28a0-495b-946c-fe0417bcbba5\\amix.exe\" --AutoStart"	amix.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

amix.exe

at description process target process

20327 PID 1224 wrote to memory of 496 amix.exe icacls.exe
24867 PID 1224 wrote to memory of 1916 amix.exe amix.exe

at	description	process	target process
20327	PID 1224 wrote to memory of 496	amix.exe	icacls.exe
24867	PID 1224 wrote to memory of 1916	amix.exe	amix.exe

C:\Users\Admin\AppData\Local\Temp\amix.exe
C:\Users\Admin\AppData\Local\Temp\amix.exe
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 220 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
1⤵
PID:1644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 240 -NGENProcess 228 -Pipe 210 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 228 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
1⤵
PID:1464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 248 -NGENProcess 230 -Pipe 218 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 228 -NGENProcess 244 -Pipe 200 -Comment "NGen Worker Process"
1⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 214 -NGENProcess 24c -Pipe 220 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 24c -NGENProcess 248 -Pipe 230 -Comment "NGen Worker Process"
1⤵
PID:1804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
1⤵
PID:280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 208 -Pipe 260 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1df32cde-28a0-495b-946c-fe0417bcbba5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\amix.exe
"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 208 -NGENProcess 25c -Pipe 214 -Comment "NGen Worker Process"
1⤵
PID:600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 26c -NGENProcess 244 -Pipe 254 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 264 -NGENProcess 274 -Pipe 208 -Comment "NGen Worker Process"
1⤵
PID:284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 258 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
1⤵
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 258 -NGENProcess 10c -Pipe 270 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1464

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 10c -NGENProcess 274 -Pipe 27c -Comment "NGen Worker Process"
1⤵
PID:600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 10c -InterruptEvent 268 -NGENProcess 228 -Pipe 238 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 228 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
1⤵
PID:284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 284 -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
1⤵
PID:1240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 258 -Pipe 10c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 278 -NGENProcess 290 -Pipe 28c -Comment "NGen Worker Process"
1⤵
PID:1428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 29c -NGENProcess 268 -Pipe 298 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 288 -NGENProcess 2a4 -Pipe 278 -Comment "NGen Worker Process"
1⤵
PID:496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 228 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 268 -NGENProcess 2a0 -Pipe 29c -Comment "NGen Worker Process"
1⤵
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2ac -NGENProcess 2a4 -Pipe 258 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2a4 -NGENProcess 228 -Pipe 2a8 -Comment "NGen Worker Process"
1⤵
PID:1640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 288 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2ac -NGENProcess 2bc -Pipe 2a4 -Comment "NGen Worker Process"
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads