banload | ced8995052eb04eaa76fabfe606a380258bf803cc4b93202f135055663e3001d

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NsProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NsProcess.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe

Renames multiple (55) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
3584	netsh.exe
3684	netsh.exe
4964	netsh.exe
3604	netsh.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023c93-206.dat	aspack_v212_v242
behavioral1/files/0x000a000000023d07-308.dat	aspack_v212_v242
behavioral1/files/0x0007000000023cf9-320.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	NsProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	NsProcess.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe	HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\heur-trojan-ransom.msil.trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe	HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe

Executes dropped EXE 59 IoCs

pid	Process
4296	HEUR-Trojan-Ransom.MSIL.Foreign.gen-c22c4171a9ba3fae54bbda30f9dcc05e9067d4e30c1edad665eada464925ab54.exe
1576	HEUR-Trojan-Ransom.MSIL.Gen.gen-674f97840252e8ea3752d8e80a3a60abddaa4633d6b5faa4aa327889a0b649f8.exe
2928	HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe
4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
2528	NsProcess.exe
2108	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
4796	HEUR-Trojan-Ransom.Win32.Encoder.vho-be603c8d2bd838f053b88e89359bda6624dfb4de023ff357e6a2a94c22374467.exe
4140	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
4116	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9890ba80b0993ef9f12e0b28a25e079979fb2baf00a89afb70bdf90b1ad4bc51.exe
1800	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
2600	HEUR-Trojan-Ransom.Win32.LockerGoga.gen-767242bc7f534aed1be6fc19f5c4b6cd405a9d10074a9b5a9316957ffc9339ee.exe
4836	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
2260	Trojan-Ransom.Win32.Blocker.gcdu-5298133b76b97ebba650026e99ee7c8be10cfad8aa80f9749875969dd1213c52.exe
868	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
4952	Trojan-Ransom.Win32.Blocker.msyd-e496d3afaacc3bb0ea50eca48a6bcac8de4bd7adb578b39b559b64dfc6fe9fb2.exe
4036	Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe
1712	Trojan-Ransom.Win32.Encoder.kyp-e502aac901dde89f099bb29daf3c042e6ea99fa8e8d19585923249fabcb52209.exe
1628	RansomwareHOME.exe
8	NsProcess.exe
1820	NsProcess.exe
4904	NsProcess.exe
3788	NsProcess.exe
4368	NsProcess.exe
3512	winsvcs.exe
4812	NsProcess.exe
3584	NsProcess.exe
2432	NsProcess.exe
4516	NsProcess.exe
4952	NsProcess.exe
4408	TeenupExamClient_ST.exe
2244	NsProcess.exe
4428	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
1484	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
2768	NsProcess.exe
2116	NsProcess.exe
1120	NsProcess.exe
4524	NsProcess.exe
1224	NsProcess.exe
1492	NsProcess.exe
2316	NsProcess.exe
4560	NsProcess.exe
4788	NsProcess.exe
1784	NsProcess.exe
4904	NsProcess.exe
1836	NsProcess.exe
4116	NsProcess.exe
2920	NsProcess.exe
1980	NsProcess.exe
3008	NsProcess.exe
2548	NsProcess.exe
4452	NsProcess.exe
4124	NsProcess.exe
3916	NsProcess.exe
2396	NsProcess.exe
1972	NsProcess.exe
4980	NsProcess.exe
636	NsProcess.exe
1652	NsProcess.exe
4260	NsProcess.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023c9a-272.dat	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023c98-256.dat	themida
behavioral1/memory/1712-343-0x0000000000360000-0x0000000000C70000-memory.dmp	themida

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WirelessConfig = "c:\\users\\admin\\appdata\\roaming\\svchost10.exe"	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\94000696690303050\\winsvcs.exe"	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\94000696690303050\\winsvcs.exe"	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NsProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NsProcess.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened for modification	C:\AUTORUN.INF	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\image.png"	RansomwareHOME.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 1484	4428	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe	179

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\stdafx.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\ceregreset.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\Cheat Engine.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\languages\How to add languages.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\languages\How to add languages.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaServer.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\targetver.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\MonoDataCollector.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\PipeServer.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\stdafx.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
File created	C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe	TeenupExamClient_ST.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\dllmain.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\celua.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\Lua files in this folder get executed automatically.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\languages\language.ini	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\plugins\cepluginsdk.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaEventServer.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\stdafx.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\plugins\example-c\bla.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\dllmain.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\__tmp_rar_sfx_access_check_240674500	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\celua.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\Lua files in this folder get executed automatically.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\languages\language.ini	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\PipeServer.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\plugins\example-c\example-c.c	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\MonoDataCollector.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\Cheat Engine.exe	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\donottrace.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\plugins\example-c\bla.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\PipeServer.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\stdafx.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\commonmodulelist.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\donottrace.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\Metadata.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector\MonoDataCollector.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\stdafx.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaServer.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Common\Pipe.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\languages	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\languages\ru_RU	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaEventServer.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\plugins\example-c\example-c.c	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\languages\ru_RU\name.txt	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\plugins\cepluginsdk.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaServer.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaServer.cpp	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\TeenupExamClient_ST\TeenupExamClient_ST.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\CEJVMTI.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\CEJVMTI.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\JavaEventServer.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Mono\MonoDataCollector	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\TeenupExamClient_ST\TeenupExamClient_ST.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Common\Pipe.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File opened for modification	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Common	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
File created	C:\Program Files (x86)\SetupRV\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\targetver.h	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\94000696690303050\winsvcs.exe	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
File opened for modification	C:\Windows\94000696690303050\winsvcs.exe	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
File opened for modification	C:\Windows\94000696690303050	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3916	4116	WerFault.exe	125
4040	1712	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.gcdu-5298133b76b97ebba650026e99ee7c8be10cfad8aa80f9749875969dd1213c52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Gen.gen-674f97840252e8ea3752d8e80a3a60abddaa4633d6b5faa4aa327889a0b649f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RansomwareHOME.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeenupExamClient_ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Encoder.kyp-e502aac901dde89f099bb29daf3c042e6ea99fa8e8d19585923249fabcb52209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9890ba80b0993ef9f12e0b28a25e079979fb2baf00a89afb70bdf90b1ad4bc51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NsProcess.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\TeenupClientST	NsProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\TeenupClientST\WarnOnOpen = "0"	NsProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Zoom\ZoomDisabled = "1"	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\TeenupClientST	NsProcess.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\TeenupClientST\WarnOnOpen = "0"	NsProcess.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ = "PSTypeLib"	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell\open\command	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell	NsProcess.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\URL Protocol	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell\open	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell\open	NsProcess.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InprocServer32\ThreadingModel = "Both"	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell\open\command\ = "\"C:\\Users\\Admin\\Desktop\\00411\\HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe\" \"%1\""	NsProcess.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell\open\command\ = "\"C:\\Program Files (x86)\\TeenupExamClient_ST\\TeenupExamClient_ST.exe\" \"%1\""	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST	NsProcess.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\URL Protocol	NsProcess.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InprocServer32\ = "C:\\Windows\\SysWOW64\\oleaut32.dll"	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell	NsProcess.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\TeenupClientST\shell\open\command	NsProcess.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InprocServer32	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4396	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
3516	powershell.exe
3516	powershell.exe
3516	powershell.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	3848	7zFM.exe
Token: 35	3848	7zFM.exe
Token: SeSecurityPrivilege	3848	7zFM.exe
Token: SeDebugPrivilege	2864	taskmgr.exe
Token: SeSystemProfilePrivilege	2864	taskmgr.exe
Token: SeCreateGlobalPrivilege	2864	taskmgr.exe
Token: SeDebugPrivilege	1240	taskmgr.exe
Token: SeSystemProfilePrivilege	1240	taskmgr.exe
Token: SeCreateGlobalPrivilege	1240	taskmgr.exe
Token: 33	2864	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2864	taskmgr.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: 33	4428	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
Token: SeIncBasePriorityPrivilege	4428	VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3848	7zFM.exe
3848	7zFM.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
2864	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe
1240	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
4396	EXCEL.EXE
4396	EXCEL.EXE
4396	EXCEL.EXE
4396	EXCEL.EXE
4408	TeenupExamClient_ST.exe
4408	TeenupExamClient_ST.exe
4408	TeenupExamClient_ST.exe
4408	TeenupExamClient_ST.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1240	2864	taskmgr.exe	105
PID 2864 wrote to memory of 1240	2864	taskmgr.exe	105
PID 3516 wrote to memory of 4716	3516	powershell.exe	112
PID 3516 wrote to memory of 4716	3516	powershell.exe	112
PID 4716 wrote to memory of 4296	4716	cmd.exe	113
PID 4716 wrote to memory of 4296	4716	cmd.exe	113
PID 4716 wrote to memory of 1576	4716	cmd.exe	114
PID 4716 wrote to memory of 1576	4716	cmd.exe	114
PID 4716 wrote to memory of 1576	4716	cmd.exe	114
PID 4716 wrote to memory of 2928	4716	cmd.exe	115
PID 4716 wrote to memory of 2928	4716	cmd.exe	115
PID 4716 wrote to memory of 4792	4716	cmd.exe	116
PID 4716 wrote to memory of 4792	4716	cmd.exe	116
PID 4716 wrote to memory of 4792	4716	cmd.exe	116
PID 4792 wrote to memory of 2528	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	117
PID 4792 wrote to memory of 2528	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	117
PID 4792 wrote to memory of 2528	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	117
PID 4716 wrote to memory of 2108	4716	cmd.exe	119
PID 4716 wrote to memory of 2108	4716	cmd.exe	119
PID 4716 wrote to memory of 2108	4716	cmd.exe	119
PID 2528 wrote to memory of 3604	2528	NsProcess.exe	120
PID 2528 wrote to memory of 3604	2528	NsProcess.exe	120
PID 2528 wrote to memory of 3604	2528	NsProcess.exe	120
PID 4716 wrote to memory of 4796	4716	cmd.exe	121
PID 4716 wrote to memory of 4796	4716	cmd.exe	121
PID 4716 wrote to memory of 4140	4716	cmd.exe	124
PID 4716 wrote to memory of 4140	4716	cmd.exe	124
PID 4716 wrote to memory of 4140	4716	cmd.exe	124
PID 4716 wrote to memory of 4116	4716	cmd.exe	125
PID 4716 wrote to memory of 4116	4716	cmd.exe	125
PID 4716 wrote to memory of 4116	4716	cmd.exe	125
PID 4716 wrote to memory of 1800	4716	cmd.exe	126
PID 4716 wrote to memory of 1800	4716	cmd.exe	126
PID 4716 wrote to memory of 1800	4716	cmd.exe	126
PID 4716 wrote to memory of 2600	4716	cmd.exe	144
PID 4716 wrote to memory of 2600	4716	cmd.exe	144
PID 4716 wrote to memory of 2600	4716	cmd.exe	144
PID 4716 wrote to memory of 4836	4716	cmd.exe	129
PID 4716 wrote to memory of 4836	4716	cmd.exe	129
PID 4716 wrote to memory of 4836	4716	cmd.exe	129
PID 2528 wrote to memory of 3584	2528	NsProcess.exe	132
PID 2528 wrote to memory of 3584	2528	NsProcess.exe	132
PID 2528 wrote to memory of 3584	2528	NsProcess.exe	132
PID 4716 wrote to memory of 2260	4716	cmd.exe	134
PID 4716 wrote to memory of 2260	4716	cmd.exe	134
PID 4716 wrote to memory of 2260	4716	cmd.exe	134
PID 4716 wrote to memory of 868	4716	cmd.exe	137
PID 4716 wrote to memory of 868	4716	cmd.exe	137
PID 4716 wrote to memory of 868	4716	cmd.exe	137
PID 4716 wrote to memory of 4952	4716	cmd.exe	138
PID 4716 wrote to memory of 4952	4716	cmd.exe	138
PID 4716 wrote to memory of 4036	4716	cmd.exe	139
PID 4716 wrote to memory of 4036	4716	cmd.exe	139
PID 4716 wrote to memory of 4036	4716	cmd.exe	139
PID 4716 wrote to memory of 1712	4716	cmd.exe	141
PID 4716 wrote to memory of 1712	4716	cmd.exe	141
PID 4716 wrote to memory of 1712	4716	cmd.exe	141
PID 4036 wrote to memory of 1628	4036	Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe	143
PID 4036 wrote to memory of 1628	4036	Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe	143
PID 4036 wrote to memory of 1628	4036	Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe	143
PID 4792 wrote to memory of 8	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	147
PID 4792 wrote to memory of 8	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	147
PID 4792 wrote to memory of 8	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	147
PID 4792 wrote to memory of 1820	4792	HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe	150

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NsProcess.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NsProcess.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00411.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.MSIL.Foreign.gen-c22c4171a9ba3fae54bbda30f9dcc05e9067d4e30c1edad665eada464925ab54.exe
    HEUR-Trojan-Ransom.MSIL.Foreign.gen-c22c4171a9ba3fae54bbda30f9dcc05e9067d4e30c1edad665eada464925ab54.exe
    3⤵
    - Executes dropped EXE
    PID:4296
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.MSIL.Gen.gen-674f97840252e8ea3752d8e80a3a60abddaa4633d6b5faa4aa327889a0b649f8.exe
    HEUR-Trojan-Ransom.MSIL.Gen.gen-674f97840252e8ea3752d8e80a3a60abddaa4633d6b5faa4aa327889a0b649f8.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1576
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe
    HEUR-Trojan-Ransom.MSIL.Trumper.gen-c2b66b94a8210a6608ddbca8915d7d03445d0b61e909a1d5175dc238f25a371c.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
    HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAaQByAGUAVwBhAGwAbABSAGUAZwBpAHMAdABlAHIAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABEAGUAcwBrAHQAbwBwAFwAMAAwADQAMQAxAFwASABFAFUAUgAtAFQAcgBvAGoAYQBuAC0AUgBhAG4AcwBvAG0ALgBXAGkAbgAzADIALgBCAGwAbwBjAGsAZQByAC4AZwBlAG4ALQAxAGYANgBmADgAYQBiAGIAOQAzADYAMgAzAGUAOQA4ADEAZgA4ADIAMQAxAGQAYwBiADcAYgAyAGUAZgA5AGQAOABmADYAYwBlADQANgA5AGIAMwA1ADkANgA4AGMAYwA1ADQAOAAwADYAYQBmADcAYwA3AGIAYQAyAGUAZgBlAC4AZQB4AGUAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall set rule name="HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe" program="C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe" new dir=in enable=yes action=allow edge=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3604
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe" dir=in action=allow program="C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Blocker.gen-1f6f8abb93623e981f8211dcb7b2ef9d8f6ce469b35968cc54806af7c7ba2efe.exe" enable=yes edge=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3584
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEUAbgBhAGIAbABlAFUAQQBDACIAPgA8AFAAYQByAGEAbQAxAD4APAAhAFsAQwBEAEEAVABBAFsARgBBAEwAUwBFAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      System policy modification
      PID:8
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1820
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAVABlAGUAbgB1AHAAQwBsAGkAZQBuAHQAUwBUAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBVAFIATAAgAFAAcgBvAHQAbwBjAG8AbABdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4904
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXABzAGgAZQBsAGwAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3788
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXABzAGgAZQBsAGwAXABvAHAAZQBuAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4368
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXABzAGgAZQBsAGwAXABvAHAAZQBuAFwAYwBvAG0AbQBhAG4AZABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4812
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAVABlAGUAbgB1AHAAQwBsAGkAZQBuAHQAUwBUAFwAcwBoAGUAbABsAFwAbwBwAGUAbgBcAGMAbwBtAG0AYQBuAGQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXAAwADAANAAxADEAXABIAEUAVQBSAC0AVAByAG8AagBhAG4ALQBSAGEAbgBzAG8AbQAuAFcAaQBuADMAMgAuAEIAbABvAGMAawBlAHIALgBnAGUAbgAtADEAZgA2AGYAOABhAGIAYgA5ADMANgAyADMAZQA5ADgAMQBmADgAMgAxADEAZABjAGIANwBiADIAZQBmADkAZAA4AGYANgBjAGUANAA2ADkAYgAzADUAOQA2ADgAYwBjADUANAA4ADAANgBhAGYANwBjADcAYgBhADIAZQBmAGUALgBlAHgAZQAiACAAIgAlADEAIgBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3584
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAUAByAG8AdABvAGMAbwBsAEUAeABlAGMAdQB0AGUAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2432
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAUAByAG8AdABvAGMAbwBsAEUAeABlAGMAdQB0AGUAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4516
  - - C:\Users\Admin\Desktop\00411\NsProcess.exe
      PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAFAAcgBvAHQAbwBjAG8AbABFAHgAZQBjAHUAdABlAFwAVABlAGUAbgB1AHAAQwBsAGkAZQBuAHQAUwBUAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBXAGEAcgBuAE8AbgBPAHAAZQBuAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAwAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4952
  - - C:\Program Files (x86)\TeenupExamClient_ST\TeenupExamClient_ST.exe
      "C:\Program Files (x86)\TeenupExamClient_ST\TeenupExamClient_ST.exe" EXECUTE
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4408
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAaQByAGUAVwBhAGwAbABSAGUAZwBpAHMAdABlAHIAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzACAAKAB4ADgANgApAFwAVABlAGUAbgB1AHAARQB4AGEAbQBDAGwAaQBlAG4AdABfAFMAVABcAFQAZQBlAG4AdQBwAEUAeABhAG0AQwBsAGkAZQBuAHQAXwBTAFQALgBlAHgAZQBdAF0APgA8AC8AUABhAHIAYQBtADEAPgA8AFAAYQByAGEAbQAyAD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall set rule name="TeenupExamClient_ST.exe" program="C:\Program Files (x86)\TeenupExamClient_ST\TeenupExamClient_ST.exe" new dir=in enable=yes action=allow edge=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3684
      - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="TeenupExamClient_ST.exe" dir=in action=allow program="C:\Program Files (x86)\TeenupExamClient_ST\TeenupExamClient_ST.exe" enable=yes edge=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4964
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEUAbgBhAGIAbABlAFUAQQBDACIAPgA8AFAAYQByAGEAbQAxAD4APAAhAFsAQwBEAEEAVABBAFsARgBBAEwAUwBFAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:2768
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAVABlAGUAbgB1AHAAQwBsAGkAZQBuAHQAUwBUAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBVAFIATAAgAFAAcgBvAHQAbwBjAG8AbABdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXABzAGgAZQBsAGwAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXABzAGgAZQBsAGwAXABvAHAAZQBuAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAEMAbABhAHMAcwBlAHMAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXABzAGgAZQBsAGwAXABvAHAAZQBuAFwAYwBvAG0AbQBhAG4AZABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABDAGwAYQBzAHMAZQBzAFwAVABlAGUAbgB1AHAAQwBsAGkAZQBuAHQAUwBUAFwAcwBoAGUAbABsAFwAbwBwAGUAbgBcAGMAbwBtAG0AYQBuAGQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAIAAoAHgAOAA2ACkAXABUAGUAZQBuAHUAcABFAHgAYQBtAEMAbABpAGUAbgB0AF8AUwBUAFwAVABlAGUAbgB1AHAARQB4AGEAbQBDAGwAaQBlAG4AdABfAFMAVAAuAGUAeABlACIAIAAiACUAMQAiAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAUAByAG8AdABvAGMAbwBsAEUAeABlAGMAdQB0AGUAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4560
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAUAByAG8AdABvAGMAbwBsAEUAeABlAGMAdQB0AGUAXABUAGUAZQBuAHUAcABDAGwAaQBlAG4AdABTAFQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4788
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAFAAcgBvAHQAbwBjAG8AbABFAHgAZQBjAHUAdABlAFwAVABlAGUAbgB1AHAAQwBsAGkAZQBuAHQAUwBUAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBXAGEAcgBuAE8AbgBPAHAAZQBuAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAwAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1784
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwAUgBBAFYAQwBwAGwANgA0AFwARwBlAG4AZQByAGEAbABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsASgBEAFAAbwBwAHUAcABdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAMABdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwAUgBBAFYAQwBwAGwAXABHAGUAbgBlAHIAYQBsAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBKAEQAUABvAHAAdQBwAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAwAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwAUgB0AEgARABWAEMAcABsADYANABcAEcAZQBuAGUAcgBhAGwAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAEoARABQAG8AcAB1AHAAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbADAAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwAUgB0AEgARABWAEMAcABsAFwARwBlAG4AZQByAGEAbABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsASgBEAFAAbwBwAHUAcABdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAMABdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwAQQB1AGQAaQBvAFwAUgB0AGsATgBHAFUASQA2ADQAXABHAGUAbgBlAHIAYQBsAF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBKAEQAUABvAHAAdQBwAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAwAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwAQQB1AGQAaQBvAFwAUgB0AGsATgBHAFUASQBcAEcAZQBuAGUAcgBhAGwAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAEoARABQAG8AcAB1AHAAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbADAAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwASABEAEEAdQBkAGkAbwBdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAQQB1AHQAbwBQAG8AcAB1AHAAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbADAAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABSAGUAYQBsAHQAZQBrAFwASABEAEEAdQBkAGkAbwA2ADQAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAEEAdQB0AG8AUABvAHAAdQBwAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAwAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBEAFcATwBSAEQAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAF0AXQA+ADwALwBQAGEAcgBhAG0AMQA+ADwAUABhAHIAYQBtADIAPgA8ACEAWwBDAEQAQQBUAEEAWwBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAFoAbwBvAG0AXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAFoAbwBvAG0ARABpAHMAYQBiAGwAZQBkAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwAxAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3916
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBDAHIAZQBhAHQAZQBLAGUAeQAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBdAF0APgA8AC8AUABhAHIAYQBtADEAPgA8AFAAYQByAGEAbQAyAD4APAAhAFsAQwBEAEEAVABBAFsAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAVQBuAGkAbgBzAHQAYQBsAGwAXABUAGUAZQBuAHUAcAAgAEUAeABhAG0AIABDAGwAaQBlAG4AdAAgAFMAZQBsAGYAIABUAGUAcwB0AF0AXQA+ADwALwBQAGEAcgBhAG0AMgA+ADwAUABhAHIAYQBtADMAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADMAPgA8AFAAYQByAGEAbQA0AD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAVABlAGUAbgB1AHAAIABFAHgAYQBtACAAQwBsAGkAZQBuAHQAIABTAGUAbABmACAAVABlAHMAdABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsARABpAHMAcABsAGEAeQBOAGEAbQBlAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBUAGUAZQBuAHUAcAAgAEUAeABhAG0AIABDAGwAaQBlAG4AdAAgACgAkMcArMTJ6LIpAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAVABlAGUAbgB1AHAAIABFAHgAYQBtACAAQwBsAGkAZQBuAHQAIABTAGUAbABmACAAVABlAHMAdABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsARABpAHMAcABsAGEAeQBJAGMAbwBuAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzACAAKAB4ADgANgApAFwAVABlAGUAbgB1AHAARQB4AGEAbQBDAGwAaQBlAG4AdABfAFMAVABcAFQAZQBlAG4AdQBwAEUAeABhAG0AQwBsAGkAZQBuAHQAXwBTAFQALgBlAHgAZQBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAVABlAGUAbgB1AHAAIABFAHgAYQBtACAAQwBsAGkAZQBuAHQAIABTAGUAbABmACAAVABlAHMAdABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAVQBuAGkAbgBzAHQAYQBsAGwAUwB0AHIAaQBuAGcAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAIAAoAHgAOAA2ACkAXABUAGUAZQBuAHUAcABFAHgAYQBtAEMAbABpAGUAbgB0AF8AUwBUAFwATgBzAFUAbgBpAG4AcwB0AGEAbABsAGUAcgAuAGUAeABlAF0AXQA+ADwALwBQAGEAcgBhAG0ANAA+ADwALwBJAHQAZQBtAD4APAAvAFIAbwBvAHQAPgA=
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAVABlAGUAbgB1AHAAIABFAHgAYQBtACAAQwBsAGkAZQBuAHQAIABTAGUAbABmACAAVABlAHMAdABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsASQBuAHMAdABhAGwAbABIAG8AbQBlAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzACAAKAB4ADgANgApAFwAVABlAGUAbgB1AHAARQB4AGEAbQBDAGwAaQBlAG4AdABfAFMAVABdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEYAbgBTAGUAdABWAGEAbAB1AGUAXwBTAFoAIgA+ADwAUABhAHIAYQBtADEAPgA8ACEAWwBDAEQAQQBUAEEAWwBLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXQBdAD4APAAvAFAAYQByAGEAbQAxAD4APABQAGEAcgBhAG0AMgA+ADwAIQBbAEMARABBAFQAQQBbAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAVABlAGUAbgB1AHAAIABFAHgAYQBtACAAQwBsAGkAZQBuAHQAIABTAGUAbABmACAAVABlAHMAdABdAF0APgA8AC8AUABhAHIAYQBtADIAPgA8AFAAYQByAGEAbQAzAD4APAAhAFsAQwBEAEEAVABBAFsAUAB1AGIAbABpAHMAaABlAHIAXQBdAD4APAAvAFAAYQByAGEAbQAzAD4APABQAGEAcgBhAG0ANAA+ADwAIQBbAEMARABBAFQAQQBbAACzXNXBwPWsjNZYx4zBXQBdAD4APAAvAFAAYQByAGEAbQA0AD4APAAvAEkAdABlAG0APgA8AC8AUgBvAG8AdAA+AA==
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
    - - C:\Program Files (x86)\TeenupExamClient_ST\NsProcess.exe
        
        PABSAG8AbwB0AD4APABJAHQAZQBtACAAQwBtAGQAPQAiAEQATABMAFIAZQBnAFMAZQByAHYAZQByADMAMgAiAD4APABQAGEAcgBhAG0AMQA+ADwAIQBbAEMARABBAFQAQQBbAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAIAAoAHgAOAA2ACkAXABUAGUAZQBuAHUAcABFAHgAYQBtAEMAbABpAGUAbgB0AF8AUwBUAFwATQBlAGQAaQBhAFwAQQB1AGQAaQBvAEMAbwBuAHQAcgBvAGwALgBvAGMAeABdAF0APgA8AC8AUABhAHIAYQBtADEAPgA8AFAAYQByAGEAbQAyAD4APAAhAFsAQwBEAEEAVABBAFsAXQBdAD4APAAvAFAAYQByAGEAbQAyAD4APABQAGEAcgBhAG0AMwA+ADwAIQBbAEMARABBAFQAQQBbAF0AXQA+ADwALwBQAGEAcgBhAG0AMwA+ADwAUABhAHIAYQBtADQAPgA8ACEAWwBDAEQAQQBUAEEAWwBdAF0APgA8AC8AUABhAHIAYQBtADQAPgA8AC8ASQB0AGUAbQA+ADwALwBSAG8AbwB0AD4A
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
    HEUR-Trojan-Ransom.Win32.Encoder.gen-2af01ae1215b1e3bd7bb978f1d4b1d99dac6ac5b64893f2f57e884028f8e1d6c.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Encoder.vho-be603c8d2bd838f053b88e89359bda6624dfb4de023ff357e6a2a94c22374467.exe
    HEUR-Trojan-Ransom.Win32.Encoder.vho-be603c8d2bd838f053b88e89359bda6624dfb4de023ff357e6a2a94c22374467.exe
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
    HEUR-Trojan-Ransom.Win32.Foreign.gen-df9db35119b314f2088e074ab8b010ea86f7a56c5ddf1825a24462fbaa574107.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4140
  - - C:\Windows\94000696690303050\winsvcs.exe
      C:\Windows\94000696690303050\winsvcs.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:3512
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9890ba80b0993ef9f12e0b28a25e079979fb2baf00a89afb70bdf90b1ad4bc51.exe
    HEUR-Trojan-Ransom.Win32.GandCrypt.gen-9890ba80b0993ef9f12e0b28a25e079979fb2baf00a89afb70bdf90b1ad4bc51.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 480
      4⤵
      Program crash
      PID:3916
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
    HEUR-Trojan-Ransom.Win32.Gen.gen-4570b785bd207255f6893e1309f54ae6710a855985fde0c02cf8cc5ac00eab2f.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.LockerGoga.gen-767242bc7f534aed1be6fc19f5c4b6cd405a9d10074a9b5a9316957ffc9339ee.exe
    HEUR-Trojan-Ransom.Win32.LockerGoga.gen-767242bc7f534aed1be6fc19f5c4b6cd405a9d10074a9b5a9316957ffc9339ee.exe
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Users\Admin\Desktop\00411\HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
    HEUR-Trojan-Ransom.Win32.PolyRansom.gen-2eac9eb46bed1bf8e2a642c0b31a557023ffc1eff8e342304bbfffb33ddd9129.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4836
- - C:\Users\Admin\Desktop\00411\Trojan-Ransom.Win32.Blocker.gcdu-5298133b76b97ebba650026e99ee7c8be10cfad8aa80f9749875969dd1213c52.exe
    Trojan-Ransom.Win32.Blocker.gcdu-5298133b76b97ebba650026e99ee7c8be10cfad8aa80f9749875969dd1213c52.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Users\Admin\Desktop\00411\Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
    Trojan-Ransom.Win32.Blocker.jaic-46c4243bf32a503089e89d97134c7c5211d368f22bd6cd92b7c29e86e8bfa035.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Users\Admin\Desktop\00411\Trojan-Ransom.Win32.Blocker.msyd-e496d3afaacc3bb0ea50eca48a6bcac8de4bd7adb578b39b559b64dfc6fe9fb2.exe
    Trojan-Ransom.Win32.Blocker.msyd-e496d3afaacc3bb0ea50eca48a6bcac8de4bd7adb578b39b559b64dfc6fe9fb2.exe
    3⤵
    - Executes dropped EXE
    PID:4952
- - C:\Users\Admin\Desktop\00411\Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe
    Trojan-Ransom.Win32.Encoder.kxs-ac14b1189c8c2573f9d8eb23e3158992db7745496583f6dbfe2115a37f6c4b48.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RansomwareHOME.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RansomwareHOME.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Users\Admin\Desktop\00411\Trojan-Ransom.Win32.Encoder.kyp-e502aac901dde89f099bb29daf3c042e6ea99fa8e8d19585923249fabcb52209.exe
    Trojan-Ransom.Win32.Encoder.kyp-e502aac901dde89f099bb29daf3c042e6ea99fa8e8d19585923249fabcb52209.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 384
      4⤵
      Program crash
      PID:4040
- - C:\Users\Admin\Desktop\00411\VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
    VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
  - - C:\Users\Admin\Desktop\00411\VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
      C:\Users\Admin\Desktop\00411\VHO-Trojan-Ransom.Win32.Rector.gen-4d5c150d5ad86d176499f109ec0a7598791fa8d46e87f1e178479c013cc9a44e.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4116 -ip 4116
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1712 -ip 1712
1⤵
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2600

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x510
1⤵
PID:820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery