neshta | b2beeab94f7cbc38143e2a050c263476419bb48d2ec37470df5b1ee0da812f50

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2960	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13195~1.15\MICROS~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MI391D~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MIA062~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~2.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13195~1.15\MICROS~3.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2368	216	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	82
PID 216 wrote to memory of 2368	216	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	82
PID 216 wrote to memory of 2368	216	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	82
PID 2368 wrote to memory of 2960	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	92
PID 2368 wrote to memory of 2960	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	92
PID 2368 wrote to memory of 2960	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	92
PID 2960 wrote to memory of 2632	2960	svchost.com	93
PID 2960 wrote to memory of 2632	2960	svchost.com	93
PID 2960 wrote to memory of 2632	2960	svchost.com	93
PID 2368 wrote to memory of 3392	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	95
PID 2368 wrote to memory of 3392	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	95
PID 2368 wrote to memory of 3392	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	95
PID 2368 wrote to memory of 4272	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	96
PID 2368 wrote to memory of 4272	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	96
PID 2368 wrote to memory of 4272	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	96
PID 2368 wrote to memory of 4964	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	97
PID 2368 wrote to memory of 4964	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	97
PID 2368 wrote to memory of 4964	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	97
PID 2368 wrote to memory of 2720	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	98
PID 2368 wrote to memory of 2720	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	98
PID 2368 wrote to memory of 2720	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	98
PID 2368 wrote to memory of 1600	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	99
PID 2368 wrote to memory of 1600	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	99
PID 2368 wrote to memory of 1600	2368	0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\3582-490\0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\0941a59548b4f95082dfa17f85c6557c_JaffaCakes118.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TfIdAJRB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\TfIdAJRB /XML C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:2720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion