d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

General

Target

amix
Sample

190902-44h44rg53x
SHA256

d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc

Score

N/A

Malware Config

Signatures

Drops file in system dir 51 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

at	description	ioc	process
5226	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0\Microsoft.PowerShell.Commands.Management.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\e7dfdc741cadfdfed5b21e4b32006615\Microsoft.PowerShell.Commands.Management.ni.dll	mscorsvw.exe
5242	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\e7dfdc741cadfdfed5b21e4b32006615\Microsoft.PowerShell.Commands.Management.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\e7dfdc741cadfdfed5b21e4b32006615\Microsoft.PowerShell.Commands.Management.ni.dll.aux	mscorsvw.exe
5289	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0	mscorsvw.exe
9048	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6f0-0\Microsoft.PowerShell.Commands.Utility.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll	mscorsvw.exe
9048	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\6830998406929e1e293582edd9a8e1f5\Microsoft.PowerShell.Commands.Utility.ni.dll.aux	mscorsvw.exe
9095	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6f0-0	mscorsvw.exe
10530	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7a4-0\Microsoft.PowerShell.ConsoleHost.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll	mscorsvw.exe
10546	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b6ea02de2d9511e27ab8fa7434fe5440\Microsoft.PowerShell.ConsoleHost.ni.dll.aux	mscorsvw.exe
10577	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7a4-0	mscorsvw.exe
14041	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0\Microsoft.PowerShell.Core.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll	mscorsvw.exe
14072	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\680d4080ee5e60f2ed2e9d56b54be8d6\Microsoft.PowerShell.Core.Activities.ni.dll.aux	mscorsvw.exe
14134	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0	mscorsvw.exe
15866	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6ac-0\Microsoft.PowerShell.Diagnostics.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll	mscorsvw.exe
15866	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\4dd796da5cd3a7855c4bd754efed0d48\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux	mscorsvw.exe
15897	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6ac-0	mscorsvw.exe
28065	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0\Microsoft.PowerShell.Editor.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll	mscorsvw.exe
28081	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\3037a8e88408d67115e75b819628bff6\Microsoft.PowerShell.Editor.ni.dll.aux	mscorsvw.exe
28283	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0	mscorsvw.exe
36411	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\518-0\Microsoft.PowerShell.GPowerShell.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll	mscorsvw.exe
36427	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\bd15d0889b1627fe9c0fb70bd62db369\Microsoft.PowerShell.GPowerShell.ni.dll.aux	mscorsvw.exe
36489	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\518-0	mscorsvw.exe
39703	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1f4-0\Microsoft.PowerShell.GraphicalHost.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll	mscorsvw.exe
39718	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\e26d2700d474c30c13e234acb7fc3067\Microsoft.PowerShell.GraphicalHost.ni.dll.aux	mscorsvw.exe
39781	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1f4-0	mscorsvw.exe
40483	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\67c-0\Microsoft.PowerShell.ISECommon.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll	mscorsvw.exe
40498	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\d507795c38d9f9fb343d60b9d65171fa\Microsoft.PowerShell.ISECommon.ni.dll.aux	mscorsvw.exe
40529	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\67c-0	mscorsvw.exe
44149	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5ac-0\Microsoft.PowerShell.Management.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll	mscorsvw.exe
44164	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\5f7b8221a7d5c538f4354305f034f3ed\Microsoft.PowerShell.Management.Activities.ni.dll.aux	mscorsvw.exe
44227	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5ac-0	mscorsvw.exe
45756	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2b4-0\Microsoft.PowerShell.ScheduledJob.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll	mscorsvw.exe
45756	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\4426e25e1efde40881762cc23d7aaa56\Microsoft.PowerShell.ScheduledJob.ni.dll.aux	mscorsvw.exe
45834	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2b4-0	mscorsvw.exe
46879	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0\Microsoft.PowerShell.Security.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll	mscorsvw.exe
46894	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\6b4f2136bd5323034fb9ff6c304b1e3e\Microsoft.PowerShell.Security.ni.dll.aux	mscorsvw.exe
46926	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\790-0	mscorsvw.exe
48049	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\598-0\Microsoft.PowerShell.Security.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll	mscorsvw.exe
48080	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\7621dae1e55ea8ab099a898f35536dba\Microsoft.PowerShell.Security.Activities.ni.dll.aux	mscorsvw.exe
48111	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\598-0	mscorsvw.exe
51824	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7c4-0\Microsoft.PowerShell.Utility.Activities.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll	mscorsvw.exe
51824	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\95ba4899f658f739a2a9f74896f9f387\Microsoft.PowerShell.Utility.Activities.ni.dll.aux	mscorsvw.exe
51886	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7c4-0	mscorsvw.exe
56691	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3e4-0\Microsoft.PowerShell.Workflow.ServiceCore.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll	mscorsvw.exe
56738	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\43318a90223fca7f3df29ad55b59382e\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux	mscorsvw.exe
56832	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3e4-0	mscorsvw.exe
59000	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5ac-0\Microsoft.Windows.DSC.CoreConfProviders.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll	mscorsvw.exe
59000	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\eea6c6f43b338e0bdeac71fb35bf254d\Microsoft.Windows.DSC.CoreConfProviders.ni.dll.aux	mscorsvw.exe
59047	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5ac-0	mscorsvw.exe
60342	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3cc-0\Microsoft.WSMan.Management.dll => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll	mscorsvw.exe
60342	File renamed	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux.tmp => C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\5485e11ac0e4f0f52bde2b8cfdc783ae\Microsoft.WSMan.Management.ni.dll.aux	mscorsvw.exe
60420	File deleted	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3cc-0	mscorsvw.exe

Loads dropped DLL
Suspicious behavior: EnumeratesProcesses

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Processes:

amix.exe

at	description	ioc	process
20530	Set value (str)	\REGISTRY\USER\S-1-5-21-2407604620-1456373808-453316147-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b8631400-05bf-4223-8080-a723e26ce6a7\\amix.exe\" --AutoStart"	amix.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

amix.exe

at description process target process

20561 PID 1252 wrote to memory of 1256 amix.exe icacls.exe
22917 PID 1252 wrote to memory of 1244 amix.exe amix.exe

at	description	process	target process
20561	PID 1252 wrote to memory of 1256	amix.exe	icacls.exe
22917	PID 1252 wrote to memory of 1244	amix.exe	amix.exe

C:\Users\Admin\AppData\Local\Temp\amix.exe
C:\Users\Admin\AppData\Local\Temp\amix.exe
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 220 -NGENProcess 230 -Pipe 234 -Comment "NGen Worker Process"
1⤵
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 240 -NGENProcess 228 -Pipe 150 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 238 -NGENProcess 248 -Pipe 220 -Comment "NGen Worker Process"
1⤵
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 21c -NGENProcess 228 -Pipe 218 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 228 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"
1⤵
PID:112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 250 -NGENProcess 248 -Pipe 208 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 248 -NGENProcess 21c -Pipe 24c -Comment "NGen Worker Process"
1⤵
PID:840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 258 -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 244 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
1⤵
PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 260 -NGENProcess 21c -Pipe 228 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 21c -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
1⤵
PID:728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 268 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b8631400-05bf-4223-8080-a723e26ce6a7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\amix.exe
"C:\Users\Admin\AppData\Local\Temp\amix.exe" --Admin IsNotAutoStart IsNotTask
1⤵
PID:1244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 260 -Pipe 21c -Comment "NGen Worker Process"
1⤵
PID:1272

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 270 -NGENProcess 258 -Pipe 244 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
1⤵
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 278 -NGENProcess 260 -Pipe 264 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 270 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
1⤵
PID:636

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 210 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 260 -NGENProcess 27c -Pipe 278 -Comment "NGen Worker Process"
1⤵
PID:1776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 288 -NGENProcess 280 -Pipe 23c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 288 -Pipe 134 -Comment "NGen Worker Process"
1⤵
PID:1556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 268 -NGENProcess 210 -Pipe 230 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 210 -NGENProcess 284 -Pipe 274 -Comment "NGen Worker Process"
1⤵
PID:1664

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 290 -NGENProcess 288 -Pipe 10c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 288 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
1⤵
PID:1968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 298 -NGENProcess 284 -Pipe 28c -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 284 -NGENProcess 290 -Pipe 294 -Comment "NGen Worker Process"
1⤵
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 210 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 27c -NGENProcess 268 -Pipe 2a4 -Comment "NGen Worker Process"
1⤵
PID:1656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 2b0 -NGENProcess 290 -Pipe 2ac -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 290 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"
1⤵
PID:496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a0 -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2b0 -NGENProcess 2b8 -Pipe 290 -Comment "NGen Worker Process"
1⤵
PID:1368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2b4 -NGENProcess 268 -Pipe 1ac -Comment "NGen Worker Process"
1⤵
- Drops file in system dir
PID:972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 268 -NGENProcess 29c -Pipe 2a0 -Comment "NGen Worker Process"
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads