asyncrat | e1f4ad954e8e13bd5119f7aa2ea8870079287addfa6ce12eaaf106739672b8e9

Analysis

max time kernel
384s
max time network
340s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExamShieldLauncher.exe
Size

1.9MB
MD5

98f879d15eb0cb66b16fbe84edb1ad32
SHA1

4a1c9b961ed8b2fdb61855169b822dd28e1a8239
SHA256

e1f4ad954e8e13bd5119f7aa2ea8870079287addfa6ce12eaaf106739672b8e9
SHA512

37d66e8c4dc423ffb25d4aff41f33f94b67fe0f85ce81444086e609f9f9727a997e731301588483ad926f2756557e40a46a7ebbfbce2638fccba21363f5cbb19
SSDEEP

49152:TleXbhrNfgqTzEin+caW8qLTWkceK4RVlkuXXGlc3KAMNmIlQJUJeJeXVi0w:TcbpNfgqTzUcyqLTjceTRVlkud3KA5Io

Score

10^/10

asyncrat coreentity discovery evasion rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

CoreEntity .NET Packer 20 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/3788-212-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/3788-214-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/3788-219-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/3788-220-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/3788-234-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/3788-239-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-243-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-244-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-252-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-253-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-264-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-265-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/3788-293-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1116-299-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1780-305-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1780-310-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1780-311-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1780-319-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1780-320-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity
behavioral1/memory/1780-327-0x0000000000E20000-0x00000000034DE000-memory.dmp	coreentity

Async RAT payload 20 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3788-212-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/3788-214-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/3788-219-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/3788-220-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/3788-234-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/3788-239-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-243-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-244-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-252-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-253-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-264-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-265-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/3788-293-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1116-299-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1780-305-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1780-310-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1780-311-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1780-319-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1780-320-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat
behavioral1/memory/1780-327-0x0000000000E20000-0x00000000034DE000-memory.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

ExamShieldSetup.exeExamShieldSetup.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeExamShield.exeExamShield.exeExamShield.exe

pid	process
1684	ExamShieldSetup.exe
4876	ExamShieldSetup.exe
4744	ISBEW64.exe
1884	ISBEW64.exe
3404	ISBEW64.exe
1660	ISBEW64.exe
3504	ISBEW64.exe
4556	ISBEW64.exe
1172	ISBEW64.exe
3304	ISBEW64.exe
4044	ISBEW64.exe
3172	ISBEW64.exe
3788	ExamShield.exe
1116	ExamShield.exe
1780	ExamShield.exe

Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1540 netsh.exe
3648 netsh.exe
1488 netsh.exe
1884 netsh.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ExamShield.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SYSTEMBIOSVERSION ExamShield.exe

pid	process
1540	netsh.exe
3648	netsh.exe
1488	netsh.exe
1884	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SYSTEMBIOSVERSION	ExamShield.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ExamShieldLauncher.exeExamShieldSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ExamShieldLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ExamShieldSetup.exe

Loads dropped DLL 16 IoCs

Processes:

ExamShieldSetup.exeMsiExec.exeMsiExec.exeExamShield.exeExamShield.exeExamShield.exe

pid	process
4876	ExamShieldSetup.exe
4052	MsiExec.exe
4052	MsiExec.exe
4876	ExamShieldSetup.exe
4876	ExamShieldSetup.exe
4876	ExamShieldSetup.exe
4876	ExamShieldSetup.exe
4876	ExamShieldSetup.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
3788	ExamShield.exe
1116	ExamShield.exe
1780	ExamShield.exe
1780	ExamShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ExamShieldSetup.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	ExamShieldSetup.exe
File opened (read-only)	\??\M:	ExamShieldSetup.exe
File opened (read-only)	\??\X:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	ExamShieldSetup.exe
File opened (read-only)	\??\V:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	ExamShieldSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	ExamShieldSetup.exe
File opened (read-only)	\??\Y:	ExamShieldSetup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	ExamShieldSetup.exe
File opened (read-only)	\??\W:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	ExamShieldSetup.exe
File opened (read-only)	\??\J:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	ExamShieldSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	ExamShieldSetup.exe
File opened (read-only)	\??\Z:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

ExamShield.exeExamShield.exeExamShield.exe

pid process

3788 ExamShield.exe
1116 ExamShield.exe
1780 ExamShield.exe

pid	process
3788	ExamShield.exe
1116	ExamShield.exe
1780	ExamShield.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32C6.tmp	msiexec.exe
File created	C:\Windows\Installer\e582056.msi	msiexec.exe
File created	C:\Windows\Installer\e582054.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582054.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2565.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37B9.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4108 3788 WerFault.exe ExamShield.exe
652 1780 WerFault.exe ExamShield.exe

pid	pid_target	process	target process
4108	3788	WerFault.exe	ExamShield.exe
652	1780	WerFault.exe	ExamShield.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Gathers network information 2 TTPs 31 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid	process
4528	NETSTAT.EXE
4212	NETSTAT.EXE
4804	NETSTAT.EXE
4540	NETSTAT.EXE
2364	NETSTAT.EXE
4452	NETSTAT.EXE
2272	NETSTAT.EXE
3048	NETSTAT.EXE
1928	NETSTAT.EXE
4628	NETSTAT.EXE
1020	NETSTAT.EXE
4808	NETSTAT.EXE
744	NETSTAT.EXE
3524	NETSTAT.EXE
1608	NETSTAT.EXE
4956	NETSTAT.EXE
5108	NETSTAT.EXE
3364	NETSTAT.EXE
3144	NETSTAT.EXE
1480	NETSTAT.EXE
4212	NETSTAT.EXE
1880	NETSTAT.EXE
4528	NETSTAT.EXE
4968	NETSTAT.EXE
1772	NETSTAT.EXE
656	NETSTAT.EXE
4408	NETSTAT.EXE
3984	NETSTAT.EXE
1696	NETSTAT.EXE
1412	NETSTAT.EXE
520	NETSTAT.EXE

Modifies registry class 14 IoCs

Processes:

msiexec.exeExamShieldSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell\open	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1"	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\ = "URL:examshield"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell\open\command	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\examshield\shell\open\command\	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ExamShieldSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ExamShieldSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ExamShieldSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ExamShieldSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ExamShieldSetup.exemsiexec.exeExamShield.exe

pid	process
4876	ExamShieldSetup.exe
4876	ExamShieldSetup.exe
2212	msiexec.exe
2212	msiexec.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe
3788	ExamShield.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeExamShieldSetup.exe

description	pid	process
Token: SeSecurityPrivilege	2212	msiexec.exe
Token: SeCreateTokenPrivilege	4876	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4876	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	4876	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	4876	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	4876	ExamShieldSetup.exe
Token: SeTcbPrivilege	4876	ExamShieldSetup.exe
Token: SeSecurityPrivilege	4876	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	4876	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	4876	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	4876	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	4876	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	4876	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	4876	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	4876	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	4876	ExamShieldSetup.exe
Token: SeBackupPrivilege	4876	ExamShieldSetup.exe
Token: SeRestorePrivilege	4876	ExamShieldSetup.exe
Token: SeShutdownPrivilege	4876	ExamShieldSetup.exe
Token: SeDebugPrivilege	4876	ExamShieldSetup.exe
Token: SeAuditPrivilege	4876	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	4876	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	4876	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	4876	ExamShieldSetup.exe
Token: SeUndockPrivilege	4876	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	4876	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	4876	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	4876	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	4876	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	4876	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	4876	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4876	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	4876	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	4876	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	4876	ExamShieldSetup.exe
Token: SeTcbPrivilege	4876	ExamShieldSetup.exe
Token: SeSecurityPrivilege	4876	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	4876	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	4876	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	4876	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	4876	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	4876	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	4876	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	4876	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	4876	ExamShieldSetup.exe
Token: SeBackupPrivilege	4876	ExamShieldSetup.exe
Token: SeRestorePrivilege	4876	ExamShieldSetup.exe
Token: SeShutdownPrivilege	4876	ExamShieldSetup.exe
Token: SeDebugPrivilege	4876	ExamShieldSetup.exe
Token: SeAuditPrivilege	4876	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	4876	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	4876	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	4876	ExamShieldSetup.exe
Token: SeUndockPrivilege	4876	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	4876	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	4876	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	4876	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	4876	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	4876	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	4876	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4876	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	4876	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	4876	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	4876	ExamShieldSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3048 msiexec.exe
3048 msiexec.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ExamShieldLauncher.exe

pid process

4056 ExamShieldLauncher.exe
4056 ExamShieldLauncher.exe
4056 ExamShieldLauncher.exe

pid	process
3048	msiexec.exe
3048	msiexec.exe

pid	process
4056	ExamShieldLauncher.exe
4056	ExamShieldLauncher.exe
4056	ExamShieldLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ExamShieldLauncher.exeExamShieldSetup.exemsiexec.exeExamShieldSetup.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4056 wrote to memory of 1684	4056	ExamShieldLauncher.exe	ExamShieldSetup.exe
PID 4056 wrote to memory of 1684	4056	ExamShieldLauncher.exe	ExamShieldSetup.exe
PID 4056 wrote to memory of 1684	4056	ExamShieldLauncher.exe	ExamShieldSetup.exe
PID 1684 wrote to memory of 4876	1684	ExamShieldSetup.exe	ExamShieldSetup.exe
PID 1684 wrote to memory of 4876	1684	ExamShieldSetup.exe	ExamShieldSetup.exe
PID 1684 wrote to memory of 4876	1684	ExamShieldSetup.exe	ExamShieldSetup.exe
PID 2212 wrote to memory of 4052	2212	msiexec.exe	MsiExec.exe
PID 2212 wrote to memory of 4052	2212	msiexec.exe	MsiExec.exe
PID 2212 wrote to memory of 4052	2212	msiexec.exe	MsiExec.exe
PID 4876 wrote to memory of 4744	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 4744	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 1884	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 1884	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3404	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3404	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 1660	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 1660	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3504	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3504	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 4556	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 4556	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 1172	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 1172	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3304	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3304	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 4044	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 4044	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3172	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3172	4876	ExamShieldSetup.exe	ISBEW64.exe
PID 4876 wrote to memory of 3048	4876	ExamShieldSetup.exe	msiexec.exe
PID 4876 wrote to memory of 3048	4876	ExamShieldSetup.exe	msiexec.exe
PID 4876 wrote to memory of 3048	4876	ExamShieldSetup.exe	msiexec.exe
PID 2212 wrote to memory of 2616	2212	msiexec.exe	MsiExec.exe
PID 2212 wrote to memory of 2616	2212	msiexec.exe	MsiExec.exe
PID 2212 wrote to memory of 2616	2212	msiexec.exe	MsiExec.exe
PID 4876 wrote to memory of 4004	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4004	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4004	4876	ExamShieldSetup.exe	cmd.exe
PID 4004 wrote to memory of 1540	4004	cmd.exe	netsh.exe
PID 4004 wrote to memory of 1540	4004	cmd.exe	netsh.exe
PID 4004 wrote to memory of 1540	4004	cmd.exe	netsh.exe
PID 4876 wrote to memory of 4872	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4872	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4872	4876	ExamShieldSetup.exe	cmd.exe
PID 4872 wrote to memory of 3648	4872	cmd.exe	netsh.exe
PID 4872 wrote to memory of 3648	4872	cmd.exe	netsh.exe
PID 4872 wrote to memory of 3648	4872	cmd.exe	netsh.exe
PID 4876 wrote to memory of 4656	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4656	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4656	4876	ExamShieldSetup.exe	cmd.exe
PID 4656 wrote to memory of 1488	4656	cmd.exe	netsh.exe
PID 4656 wrote to memory of 1488	4656	cmd.exe	netsh.exe
PID 4656 wrote to memory of 1488	4656	cmd.exe	netsh.exe
PID 4876 wrote to memory of 4528	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4528	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 4528	4876	ExamShieldSetup.exe	cmd.exe
PID 4528 wrote to memory of 1884	4528	cmd.exe	netsh.exe
PID 4528 wrote to memory of 1884	4528	cmd.exe	netsh.exe
PID 4528 wrote to memory of 1884	4528	cmd.exe	netsh.exe
PID 4876 wrote to memory of 3788	4876	ExamShieldSetup.exe	ExamShield.exe
PID 4876 wrote to memory of 3788	4876	ExamShieldSetup.exe	ExamShield.exe
PID 4876 wrote to memory of 3788	4876	ExamShieldSetup.exe	ExamShield.exe
PID 4876 wrote to memory of 744	4876	ExamShieldSetup.exe	cmd.exe
PID 4876 wrote to memory of 744	4876	ExamShieldSetup.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ExamShieldLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\ExamShieldLauncher.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\ExamShieldSetup.exe
C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}" /z" LAUNCHEXAMSHIELD" /IS_temp
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B36ED8A-119F-4E89-B89A-C4A4A043D7C6}
4⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{453D4DCD-6499-4930-A0D7-2392251247C7}
4⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C926374F-C3BA-4D45-93DE-943A2512BCEC}
4⤵
- Executes dropped EXE
PID:3404

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{82713961-5F72-4A4A-8660-94772EB15FB4}
4⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{61939B8A-E9F5-4ADD-B664-4D9C76508CFE}
4⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5A6A72B-2B15-4C43-8862-9BB0F5559B36}
4⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{432162B9-020D-4095-8188-A439797E1459}
4⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A523B0A2-B735-4F94-8968-42406068F113}
4⤵
- Executes dropped EXE
PID:3304

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58FF4692-D7ED-4ABD-93DB-9FA5A10CB505}
4⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85F93957-DC9B-4644-97F0-2221AEB3D3A1}
4⤵
- Executes dropped EXE
PID:3172

C:\Windows\SysWOW64\msiexec.exe
msiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-
4⤵
- Suspicious use of FindShellTrayWindow
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""
4⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall show rule name="Exam Shield" direction="IN"
5⤵
- Modifies Windows Firewall
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""
4⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall show rule name="Exam Shield" direction="OUT"
5⤵
- Modifies Windows Firewall
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1884

C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:2700

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:5108

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:5100

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:1412

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:3700

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:3364

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:1388

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:4444

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:4452

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:3748

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:1880

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:2176

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:2272

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:1528

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:656

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:2844

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:4408

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
5⤵
PID:3296

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 4476
5⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}"
4⤵
PID:744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 676CFD5A6EE92A35335CCBD06C9C80FB C
2⤵
- Loads dropped DLL
PID:4052

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FA2AE84D5897C9934C53ECEE3C25EDF2
2⤵
- Loads dropped DLL
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4432

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1848

C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
"C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1116

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:2944

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:3144

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:4804

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4212

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1120

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:1480

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1756

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:520

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1416

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4528

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:3088

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4968

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1820

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:3048

C:\Windows\system32\NETSTAT.EXE
netstat -ano
1⤵
- Gathers network information
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3788 -ip 3788
1⤵
PID:3772

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\UnprotectExpand.otf
1⤵
PID:528

C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
"C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1780

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:3824

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:3984

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:3292

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4540

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:4332

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:1928

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1848

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:1696

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1532

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:1608

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:4440

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4808

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:380

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:744

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:3276

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4628

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1216

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4212

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1544

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:1772

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:3876

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:1020

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:2564

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4956

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:4872

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:3524

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C netstat -ano
2⤵
PID:1564

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 4464
2⤵
- Program crash
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1780 -ip 1780
1⤵
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA
Filesize
471B

MD5
696c07660f0d88f9ec5e7292b203f3b7

SHA1
c87763f51aad8ff1de3a56798e40d96a831094c3

SHA256
a1f63bbfce2eaa3e65ef7e76a5a8ffa93f59a34f27d592810bce9a2c75ab782d

SHA512
6037c5464cf93c085663c520f790aec7149709ec80a86ba2ee86f0115f2991307f8eea08d551a9cf7cf4d3bd66229a2da02ce9b753537230a998a788c2a615d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_B658506A740BE0B6C04A02C9B32FBDCD
Filesize
727B

MD5
278c6c06dc82034db331c85e389e4366

SHA1
d741236efe15f3be41185a81c33f115c200b614d

SHA256
9acf66ef5f95889875a7dca8d4548b212a2b16dd274fdf772a6a911b02eb9a79

SHA512
af43928c0701eda3d2ff357351fe597ae1d48d5f950cdb3253c606bba6a134c1d377807491dd1418d709d13d201a0c61b24cfea14c14dd19507631240798ff38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
727B

MD5
2f3f546870bb4763441ec2cd3541465b

SHA1
7cd6533e8550933c73654944ea62738ab79f3e26

SHA256
1f812efe1ea9f884f0fbc724822273633b24ab39c1810e7ca9d70805e6e61720

SHA512
d73dcb5d5cf67356ebbf6a7c573a65ca261e781e48930d1d1f1581a203e63014085690f970e7c3b156e31ad1416262ea6253db0440f0e9e06856878445dc7da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_7AA1872B10F7F2428A1288E96F0B99FA
Filesize
400B

MD5
b3901bb713acf8374fe4f9935fcfdf1e

SHA1
a14c96d92788aad6102073f0bdf7838c9c747d08

SHA256
5165b64318bff81957c2d399593ef9e9457cb8d934b903098da39df67aacb71b

SHA512
daab3e5d97f14515f366696bd28e63c77a83fdb5f5c326814a16605dcfc9e4ac0047edf8a2f7c38a1a44809e090b822bf24342445dc1e1564f3bc90758510097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_B658506A740BE0B6C04A02C9B32FBDCD
Filesize
404B

MD5
c6379c0c01211a36b3be2f4bf1de946e

SHA1
3b54512f628af4a295f637de640b6f2d293111c9

SHA256
c2fa2a71b81d644320de166c68a99696c3ce01817b9930165baac7d7d9153c34

SHA512
bfd513eb43366cd198ee85447c1ac5b8c14f6f0d0f2760de4c06d59da110bed19deab7cb93da05f81aecb329af7bd03ff47893b5aad79d6c681eec3e7c487fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
442B

MD5
5d7afdec1eb5796a6c3c220544a8ced9

SHA1
276e5128cf042c17207ade70e1aee628ef23de94

SHA256
032464fadb39ea78cbbd95d58b0ca9596b3f53a75000f6fbf6324fb1329202f5

SHA512
655e925eb559051d4731024bff7b1ad82944db09527dac34cee87fcd3079a9213d0bcc58a41e7c44205fa6302566e656d68de2ba98b45dc790cec17d696c9657

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldParams.dat
Filesize
9B

MD5
9bab2b4c50d8359fc53c582d09ca21df

SHA1
9b2473d04fc51348aa20d1fedf5e629c43a0ada9

SHA256
9dbf8057012e99a692df37f984b92232c1aeee59ba9576be9f440d2ae0bef774

SHA512
c989409cb5c9fd74b66ec0a6c2d2a0f1166c2f7e379794bc7511119c53388baf60e37ef0b0f8f3b854283f832fc91147b63da46eb3cef22bc394946e34943a12

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
Filesize
37.9MB

MD5
4df942392d1c45abd2d69e68b5962d29

SHA1
bc583656923db56c47e2c6836a7078d54f7e1b8e

SHA256
8820dffed151ac0b58a027c1ba349504661ef0d8419605694e613594f56bfa72

SHA512
cd5a5af5215a7444fedfd96af57e579e34cc7fb809606f5331fc27a38214385adc50a74325243df0fbd8cb01570b78315c291a60393fb72720ec02b1a8a838bf

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
Filesize
37.9MB

MD5
4df942392d1c45abd2d69e68b5962d29

SHA1
bc583656923db56c47e2c6836a7078d54f7e1b8e

SHA256
8820dffed151ac0b58a027c1ba349504661ef0d8419605694e613594f56bfa72

SHA512
cd5a5af5215a7444fedfd96af57e579e34cc7fb809606f5331fc27a38214385adc50a74325243df0fbd8cb01570b78315c291a60393fb72720ec02b1a8a838bf

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat
Filesize
103B

MD5
ca0a346e58cc7f177fe9ab3a7abaff46

SHA1
0f5ed1b10b848731b7a7e19ac799b46c7eaaec44

SHA256
f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011

SHA512
858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat
Filesize
73B

MD5
10db042a6c5c43a13106a70f42c9eae0

SHA1
6351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9

SHA256
34b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74

SHA512
d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ExamShield.exe.log
Filesize
2KB

MD5
7628f61e8b18d6eafe91e1a31f45d78c

SHA1
cd632cb83c0ae9f487e84f1ef4f22555670fb413

SHA256
f151fbd50735be79286b4cbbfd45235897aed42f56efa8655a89dcffbd08596f

SHA512
bcb8221b59a598a4e1f9d8bd92afc4a8b0b60079394c81cadd1c5badd36580783b05ee6a00b5c954a8c51211a9dcd1b287e143c707d80f907fa2d69b7a3e2d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll
Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll
Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll
Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll
Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt
Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt
Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI848B.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI848B.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8547.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8547.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\ExamShield.msi
Filesize
23.4MB

MD5
c23d0de48ced5bd3e0cb41a78537a7fc

SHA1
c8a4c608ed189353dd8cc9bf5de406c9de2b2cd0

SHA256
5644d0165f802afb9d86809407cc66a83b43f2ba311094aa9042d40772fc9889

SHA512
98d086065126293839c33205034142afaa479cfaf3a03be7df70be7992e7d1d70347f988569d8b103530be76a8fce7955125e97b80d3bcc0ecd5dca0e63fd7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\ExamShieldSetup.exe
Filesize
37.9MB

MD5
4df942392d1c45abd2d69e68b5962d29

SHA1
bc583656923db56c47e2c6836a7078d54f7e1b8e

SHA256
8820dffed151ac0b58a027c1ba349504661ef0d8419605694e613594f56bfa72

SHA512
cd5a5af5215a7444fedfd96af57e579e34cc7fb809606f5331fc27a38214385adc50a74325243df0fbd8cb01570b78315c291a60393fb72720ec02b1a8a838bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\ExamShieldSetup.exe
Filesize
37.9MB

MD5
4df942392d1c45abd2d69e68b5962d29

SHA1
bc583656923db56c47e2c6836a7078d54f7e1b8e

SHA256
8820dffed151ac0b58a027c1ba349504661ef0d8419605694e613594f56bfa72

SHA512
cd5a5af5215a7444fedfd96af57e579e34cc7fb809606f5331fc27a38214385adc50a74325243df0fbd8cb01570b78315c291a60393fb72720ec02b1a8a838bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\ISSetup.dll
Filesize
3.0MB

MD5
1139a37a9ecffb04b0a9bb3fc0084469

SHA1
ac9cf9bb53105e1eaa1f460df96aed84d525eeb5

SHA256
a2b9c3fe48928d5a72e359c8effacc9035bb1f7bdca1853b1cfb079b6f4ffb1a

SHA512
e1bb93672c4124a98ace92ba88f1452a0fb0a440b360d687042f347af2bf2e7a5539e9d352707993304535b97945eb1d6bee0120ec91c78588d543f4d0c55b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{561384E8-4C84-4D8C-A760-5B42AEAF0C7B}\_ISMSIDEL.INI
Filesize
632B

MD5
3ee9fca214f9a232be403646203554ce

SHA1
2b1fdf5f9c9221c3b7e3d486ffd8c038ef869a1a

SHA256
a6ede3d3cb2f803e9a1520ecda86b4c36935b487bae6171e4cdd1d3c85091f29

SHA512
b6eb2881270ac9fcb671aceaaf843f5f35dd4038a941f8572e4814d53eefd73369ba268541e47b484adfaf0c29d627963fbdfb7396d4f6a57a4990a4e91ee90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISBEW64.exe
Filesize
178KB

MD5
95324884824522e3fb1385eaa651b3c2

SHA1
7f0006b6df6c66748ab9542662c04a055d0f6497

SHA256
c74fef6e38c4439c7d652449869a92121e43df373b0a0cb5498bb7a79eaa0990

SHA512
df4b2b6c834b2348ad5abf5f3a127b7aa9ebb7a10c78212f4569e9049092aac19c7adacc99f9becb93239a35a902efe10fb59473d3d9691a313c764bfa6a19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\ISRT.dll
Filesize
426KB

MD5
f5749e8fc6419afdb27283ccc57f25af

SHA1
abe645b76d05b831e86e94abe870883618c8c6c6

SHA256
ed05b093f2264f166b5c9305141dbdfc320668c34f5d164aa68879a58c0e7c43

SHA512
6b7844e16748c2a0ea01c1b3841ddc09f0abc408003ef681807580834359f609443ca6d3b2df7d4e580d22ad7deabc63d01e169cae271c4ea9ad5445fb3a1208

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\Software License Agreement_EN.rtf
Filesize
7KB

MD5
2d4eaea4d9b564964e5e4aea88d48555

SHA1
2cad664a938cdc69e0c6d741575e5819733fc374

SHA256
93494ec77002f73f074bceeb91be9c4f805c1c07852db14d37729d81e0deefd0

SHA512
4ef21301822b3146984f975943e39a7875281d14b5f14f10fb4051be818115a0d54d02876658d279b820e72720d48983214b37abf1d888ac254be7be5b98cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\_isres_0x0409.dll
Filesize
1.8MB

MD5
034f2d2a1eee7aa3031599d7481bef7d

SHA1
599ab430f1c69e6ca67914b6b834bd6ca81f6552

SHA256
36d4a1cc41f68238d197ea4510b93718c1e6a93a9c17a8169db95130371fbecf

SHA512
289af5525e70e592aa54857eba267e102eb8be33c8d69041fb23f6c2482cf5a34a88e4dc2affbe8a61caa5acf92d1b4e8de5a2d871da4f00c90d6e077d05326f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\_isres_0x0409.dll
Filesize
1.8MB

MD5
034f2d2a1eee7aa3031599d7481bef7d

SHA1
599ab430f1c69e6ca67914b6b834bd6ca81f6552

SHA256
36d4a1cc41f68238d197ea4510b93718c1e6a93a9c17a8169db95130371fbecf

SHA512
289af5525e70e592aa54857eba267e102eb8be33c8d69041fb23f6c2482cf5a34a88e4dc2affbe8a61caa5acf92d1b4e8de5a2d871da4f00c90d6e077d05326f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\_isuser_0x0409.dll
Filesize
596KB

MD5
508a8d89fa03fb9f3986c5b4072593f1

SHA1
d0f1b7314189135f5d0a3c0e4a4571d7524a5d51

SHA256
17f7f9f7195be221cada6c2db4949c973d4a8e85603de279f0311747d3c4ca68

SHA512
83b41e149b6a40ea3b6131eb63e8fd268188db7ad424c1f80ecb6bc687d89205464b8c3ee343fc718925d56bb21b76d5cf9dd7d1ca806192b6fedad94e748776

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9320A8A-1B1A-4928-8754-CBD447882991}\_isuser_0x0409.dll
Filesize
596KB

MD5
508a8d89fa03fb9f3986c5b4072593f1

SHA1
d0f1b7314189135f5d0a3c0e4a4571d7524a5d51

SHA256
17f7f9f7195be221cada6c2db4949c973d4a8e85603de279f0311747d3c4ca68

SHA512
83b41e149b6a40ea3b6131eb63e8fd268188db7ad424c1f80ecb6bc687d89205464b8c3ee343fc718925d56bb21b76d5cf9dd7d1ca806192b6fedad94e748776

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll
Filesize
20KB

MD5
5743c9b0d2b183f84916299353788821

SHA1
e9210a26de13e5773a0caa6c361907fe16c19bdb

SHA256
0d75c753a2fe3fc7b83e2ce5f5cccd6b7d8a9172a25aae2e2ee75dec25691cdc

SHA512
92ddaa29419b8538228dc5848570987df25dea31ab0dbf8317af8f751e24441ef9752dfe8469647e391c93baedf688b04db0375168c470e330c711203dfe5568

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll
Filesize
20KB

MD5
5743c9b0d2b183f84916299353788821

SHA1
e9210a26de13e5773a0caa6c361907fe16c19bdb

SHA256
0d75c753a2fe3fc7b83e2ce5f5cccd6b7d8a9172a25aae2e2ee75dec25691cdc

SHA512
92ddaa29419b8538228dc5848570987df25dea31ab0dbf8317af8f751e24441ef9752dfe8469647e391c93baedf688b04db0375168c470e330c711203dfe5568

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
Filesize
17.6MB

MD5
63d3d7ffabd84efb2e746fb9b4215ab2

SHA1
ee3a621bbb929053821ff85a056d0af43a2f7b47

SHA256
489a482a11ce38c3c79bc71018d23acb13422b928e4529b86ee1816b7e8d9652

SHA512
bbbcff803d16cf0dc7bf60e1e525670fadf556bb281fd525ca2f7acd707e2fad386ca22bcb03c7f4b0c182dc7358c3a9777cf9cac6937e0233ad31f907a8c82b

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
Filesize
17.6MB

MD5
63d3d7ffabd84efb2e746fb9b4215ab2

SHA1
ee3a621bbb929053821ff85a056d0af43a2f7b47

SHA256
489a482a11ce38c3c79bc71018d23acb13422b928e4529b86ee1816b7e8d9652

SHA512
bbbcff803d16cf0dc7bf60e1e525670fadf556bb281fd525ca2f7acd707e2fad386ca22bcb03c7f4b0c182dc7358c3a9777cf9cac6937e0233ad31f907a8c82b

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
Filesize
17.6MB

MD5
63d3d7ffabd84efb2e746fb9b4215ab2

SHA1
ee3a621bbb929053821ff85a056d0af43a2f7b47

SHA256
489a482a11ce38c3c79bc71018d23acb13422b928e4529b86ee1816b7e8d9652

SHA512
bbbcff803d16cf0dc7bf60e1e525670fadf556bb281fd525ca2f7acd707e2fad386ca22bcb03c7f4b0c182dc7358c3a9777cf9cac6937e0233ad31f907a8c82b

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
Filesize
17.6MB

MD5
63d3d7ffabd84efb2e746fb9b4215ab2

SHA1
ee3a621bbb929053821ff85a056d0af43a2f7b47

SHA256
489a482a11ce38c3c79bc71018d23acb13422b928e4529b86ee1816b7e8d9652

SHA512
bbbcff803d16cf0dc7bf60e1e525670fadf556bb281fd525ca2f7acd707e2fad386ca22bcb03c7f4b0c182dc7358c3a9777cf9cac6937e0233ad31f907a8c82b

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\VP8.dll
Filesize
447KB

MD5
bb7dbf84255028441aab3f9e957e3166

SHA1
3b4c7bd0d014a1144da758af3eaca0ba789978de

SHA256
6654c1f0591c979d1e31244f38869d0ba641d0faf5697faa6076efa7ebc5f101

SHA512
4e05b6132c7edf07678cfeb3ae9044f1350d704a8650a3507734b42fcee84e4fad55f6ba7b9a2de91277ef762dc58f3d7383db7cc2072765ad242b93ff8ad78d

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\opusGeneric.dll
Filesize
363KB

MD5
2c1f2e6495f6e4b500079bbe35c20513

SHA1
87a1f46c6bce36ab0c0b5e4fb1bb02aac5cb73b4

SHA256
c488936131cc29baadc4058e3f6ef906b5a8e4a470c40bbd0e47f51bdd4c0cc4

SHA512
9c41639cfde7666c7e4540e1015b9e7b4f03d89ce319ad519155de2f816a43b4eb78592f1a919203deee05c08332050d05e526df8f6653f342c8cf8abd6da0e6

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\uninstall.ico
Filesize
24KB

MD5
279e6e80c39add675219c447f9c1f381

SHA1
8287588124e8f8a6c94435e44344e3ee7062c4be

SHA256
22af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527

SHA512
477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce

Download Submit
C:\Windows\Installer\MSI2565.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Windows\Installer\MSI2565.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Windows\Installer\MSI2A0A.tmp
Filesize
211KB

MD5
e28c1351167450b0d0da9e1bc3397e8e

SHA1
6b9efb7c212fb43aa238cf4e01d46d511a2cf244

SHA256
ab4229f6230ceb615a79b376825d701b391492c95278d4cb4ffc36446adc2173

SHA512
b80a72cf153b6dc5eb590b6640180d2f34620c4867fbe4b4c5e26979b97687bd781621d20b058cc064918714b3a7293d07c0be58df031ad4629c054774d766a7

Download Submit
C:\Windows\Installer\MSI2A0A.tmp
Filesize
211KB

MD5
e28c1351167450b0d0da9e1bc3397e8e

SHA1
6b9efb7c212fb43aa238cf4e01d46d511a2cf244

SHA256
ab4229f6230ceb615a79b376825d701b391492c95278d4cb4ffc36446adc2173

SHA512
b80a72cf153b6dc5eb590b6640180d2f34620c4867fbe4b4c5e26979b97687bd781621d20b058cc064918714b3a7293d07c0be58df031ad4629c054774d766a7

Download Submit
C:\Windows\Installer\MSI32C6.tmp
Filesize
211KB

MD5
e28c1351167450b0d0da9e1bc3397e8e

SHA1
6b9efb7c212fb43aa238cf4e01d46d511a2cf244

SHA256
ab4229f6230ceb615a79b376825d701b391492c95278d4cb4ffc36446adc2173

SHA512
b80a72cf153b6dc5eb590b6640180d2f34620c4867fbe4b4c5e26979b97687bd781621d20b058cc064918714b3a7293d07c0be58df031ad4629c054774d766a7

Download Submit
C:\Windows\Installer\MSI32C6.tmp
Filesize
211KB

MD5
e28c1351167450b0d0da9e1bc3397e8e

SHA1
6b9efb7c212fb43aa238cf4e01d46d511a2cf244

SHA256
ab4229f6230ceb615a79b376825d701b391492c95278d4cb4ffc36446adc2173

SHA512
b80a72cf153b6dc5eb590b6640180d2f34620c4867fbe4b4c5e26979b97687bd781621d20b058cc064918714b3a7293d07c0be58df031ad4629c054774d766a7

Download Submit
C:\Windows\Installer\MSI37B9.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Windows\Installer\MSI37B9.tmp
Filesize
172KB

MD5
99d93060b43363c3a58ab262741adbf3

SHA1
ed95117eb767885faeecd9be28ad64af67bc1ed0

SHA256
ae650f658a4490d0a18a2877f21ed804539b2d98e13fbf8ee946d3278d62ffee

SHA512
49e756b4b4f241d399c3e38a2ce8b87a8a40f9ffde182bdfe40456db4eb3b38df8e241feaddf56dba8eba05161b8d7c6cff406ee4b93110dfd0f8618ca4ada10

Download Submit
C:\Windows\Installer\e582056.msi
Filesize
23.4MB

MD5
c23d0de48ced5bd3e0cb41a78537a7fc

SHA1
c8a4c608ed189353dd8cc9bf5de406c9de2b2cd0

SHA256
5644d0165f802afb9d86809407cc66a83b43f2ba311094aa9042d40772fc9889

SHA512
98d086065126293839c33205034142afaa479cfaf3a03be7df70be7992e7d1d70347f988569d8b103530be76a8fce7955125e97b80d3bcc0ecd5dca0e63fd7c7

Download Submit
memory/520-272-0x0000000000000000-mapping.dmp

Download
memory/656-280-0x0000000000000000-mapping.dmp

Download
memory/744-216-0x0000000000000000-mapping.dmp

Download
memory/1116-253-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-252-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-264-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-288-0x000000006F180000-0x000000006F390000-memory.dmp

Filesize
2.1MB

Download
memory/1116-299-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-300-0x0000000005270000-0x00000000052B7000-memory.dmp

Filesize
284KB

Download
memory/1116-255-0x00000000755C0000-0x0000000075B73000-memory.dmp

Filesize
5.7MB

Download
memory/1116-265-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-276-0x000000000E490000-0x000000000E55E000-memory.dmp

Filesize
824KB

Download
memory/1116-254-0x0000000074C40000-0x0000000074CC9000-memory.dmp

Filesize
548KB

Download
memory/1116-275-0x000000000CAD0000-0x000000000CAE2000-memory.dmp

Filesize
72KB

Download
memory/1116-240-0x0000000005270000-0x00000000052B7000-memory.dmp

Filesize
284KB

Download
memory/1116-241-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-247-0x00000000754D0000-0x00000000755B3000-memory.dmp

Filesize
908KB

Download
memory/1116-243-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1116-246-0x0000000076C60000-0x0000000076EE1000-memory.dmp

Filesize
2.5MB

Download
memory/1116-263-0x0000000005270000-0x00000000052B7000-memory.dmp

Filesize
284KB

Download
memory/1116-245-0x00000000766C0000-0x00000000768D5000-memory.dmp

Filesize
2.1MB

Download
memory/1116-244-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1120-266-0x0000000000000000-mapping.dmp

Download
memory/1172-164-0x0000000000000000-mapping.dmp

Download
memory/1388-249-0x0000000000000000-mapping.dmp

Download
memory/1412-232-0x0000000000000000-mapping.dmp

Download
memory/1416-281-0x0000000000000000-mapping.dmp

Download
memory/1480-267-0x0000000000000000-mapping.dmp

Download
memory/1488-204-0x0000000000000000-mapping.dmp

Download
memory/1528-279-0x0000000000000000-mapping.dmp

Download
memory/1540-198-0x0000000000000000-mapping.dmp

Download
memory/1660-152-0x0000000000000000-mapping.dmp

Download
memory/1684-132-0x0000000000000000-mapping.dmp

Download
memory/1756-270-0x0000000000000000-mapping.dmp

Download
memory/1780-309-0x00000000754D0000-0x00000000755B3000-memory.dmp

Filesize
908KB

Download
memory/1780-305-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-321-0x0000000003570000-0x00000000035B7000-memory.dmp

Filesize
284KB

Download
memory/1780-320-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-319-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-327-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-313-0x00000000755C0000-0x0000000075B73000-memory.dmp

Filesize
5.7MB

Download
memory/1780-312-0x0000000072AE0000-0x0000000072B69000-memory.dmp

Filesize
548KB

Download
memory/1780-311-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-310-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-326-0x0000000003570000-0x00000000035B7000-memory.dmp

Filesize
284KB

Download
memory/1780-307-0x0000000076C60000-0x0000000076EE1000-memory.dmp

Filesize
2.5MB

Download
memory/1780-306-0x00000000766C0000-0x00000000768D5000-memory.dmp

Filesize
2.1MB

Download
memory/1780-324-0x000000006E320000-0x000000006E36C000-memory.dmp

Filesize
304KB

Download
memory/1780-304-0x0000000003570000-0x00000000035B7000-memory.dmp

Filesize
284KB

Download
memory/1780-303-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-302-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/1780-323-0x000000006F790000-0x000000006F9A0000-memory.dmp

Filesize
2.1MB

Download
memory/1820-297-0x0000000000000000-mapping.dmp

Download
memory/1880-273-0x0000000000000000-mapping.dmp

Download
memory/1884-148-0x0000000000000000-mapping.dmp

Download
memory/1884-207-0x0000000000000000-mapping.dmp

Download
memory/2176-277-0x0000000000000000-mapping.dmp

Download
memory/2272-278-0x0000000000000000-mapping.dmp

Download
memory/2616-181-0x0000000000000000-mapping.dmp

Download
memory/2700-229-0x0000000000000000-mapping.dmp

Download
memory/2844-289-0x0000000000000000-mapping.dmp

Download
memory/2944-258-0x0000000000000000-mapping.dmp

Download
memory/3048-298-0x0000000000000000-mapping.dmp

Download
memory/3048-173-0x0000000000000000-mapping.dmp

Download
memory/3088-295-0x0000000000000000-mapping.dmp

Download
memory/3144-260-0x0000000000000000-mapping.dmp

Download
memory/3172-171-0x0000000000000000-mapping.dmp

Download
memory/3292-316-0x0000000000000000-mapping.dmp

Download
memory/3296-291-0x0000000000000000-mapping.dmp

Download
memory/3304-166-0x0000000000000000-mapping.dmp

Download
memory/3364-250-0x0000000000000000-mapping.dmp

Download
memory/3404-150-0x0000000000000000-mapping.dmp

Download
memory/3504-154-0x0000000000000000-mapping.dmp

Download
memory/3648-202-0x0000000000000000-mapping.dmp

Download
memory/3700-248-0x0000000000000000-mapping.dmp

Download
memory/3748-271-0x0000000000000000-mapping.dmp

Download
memory/3788-235-0x000000000D600000-0x000000000D608000-memory.dmp

Filesize
32KB

Download
memory/3788-294-0x0000000005030000-0x0000000005077000-memory.dmp

Filesize
284KB

Download
memory/3788-225-0x0000000008EE0000-0x0000000008EF2000-memory.dmp

Filesize
72KB

Download
memory/3788-226-0x00000000755C0000-0x0000000075B73000-memory.dmp

Filesize
5.7MB

Download
memory/3788-212-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-223-0x0000000008F00000-0x0000000008F92000-memory.dmp

Filesize
584KB

Download
memory/3788-224-0x0000000008FA0000-0x0000000009006000-memory.dmp

Filesize
408KB

Download
memory/3788-222-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/3788-221-0x0000000074C40000-0x0000000074CC9000-memory.dmp

Filesize
548KB

Download
memory/3788-208-0x0000000000000000-mapping.dmp

Download
memory/3788-233-0x000000000B5C0000-0x000000000B5CA000-memory.dmp

Filesize
40KB

Download
memory/3788-234-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-236-0x0000000005030000-0x0000000005077000-memory.dmp

Filesize
284KB

Download
memory/3788-283-0x0000000010F00000-0x0000000011518000-memory.dmp

Filesize
6.1MB

Download
memory/3788-284-0x000000000FD80000-0x000000000FD92000-memory.dmp

Filesize
72KB

Download
memory/3788-285-0x0000000010830000-0x000000001086C000-memory.dmp

Filesize
240KB

Download
memory/3788-286-0x000000006DF50000-0x000000006DF9C000-memory.dmp

Filesize
304KB

Download
memory/3788-287-0x0000000010BE0000-0x0000000010CEA000-memory.dmp

Filesize
1.0MB

Download
memory/3788-220-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-238-0x000000000D920000-0x000000000D942000-memory.dmp

Filesize
136KB

Download
memory/3788-239-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-219-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-218-0x00000000754D0000-0x00000000755B3000-memory.dmp

Filesize
908KB

Download
memory/3788-293-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-262-0x000000000DD40000-0x000000000DD96000-memory.dmp

Filesize
344KB

Download
memory/3788-210-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3788-242-0x000000000E450000-0x000000000E97C000-memory.dmp

Filesize
5.2MB

Download
memory/3788-211-0x0000000005030000-0x0000000005077000-memory.dmp

Filesize
284KB

Download
memory/3788-217-0x0000000076C60000-0x0000000076EE1000-memory.dmp

Filesize
2.5MB

Download
memory/3788-274-0x000000006F180000-0x000000006F390000-memory.dmp

Filesize
2.1MB

Download
memory/3788-215-0x00000000766C0000-0x00000000768D5000-memory.dmp

Filesize
2.1MB

Download
memory/3788-214-0x0000000000E20000-0x00000000034DE000-memory.dmp

Filesize
38.7MB

Download
memory/3824-315-0x0000000000000000-mapping.dmp

Download
memory/3984-317-0x0000000000000000-mapping.dmp

Download
memory/4004-197-0x0000000000000000-mapping.dmp

Download
memory/4044-169-0x0000000000000000-mapping.dmp

Download
memory/4052-140-0x0000000000000000-mapping.dmp

Download
memory/4212-261-0x0000000000000000-mapping.dmp

Download
memory/4332-322-0x0000000000000000-mapping.dmp

Download
memory/4408-290-0x0000000000000000-mapping.dmp

Download
memory/4444-268-0x0000000000000000-mapping.dmp

Download
memory/4452-269-0x0000000000000000-mapping.dmp

Download
memory/4528-282-0x0000000000000000-mapping.dmp

Download
memory/4528-251-0x0000000000000000-mapping.dmp

Download
memory/4528-206-0x0000000000000000-mapping.dmp

Download
memory/4540-318-0x0000000000000000-mapping.dmp

Download
memory/4556-162-0x0000000000000000-mapping.dmp

Download
memory/4656-203-0x0000000000000000-mapping.dmp

Download
memory/4744-145-0x0000000000000000-mapping.dmp

Download
memory/4804-259-0x0000000000000000-mapping.dmp

Download
memory/4804-292-0x0000000000000000-mapping.dmp

Download
memory/4872-201-0x0000000000000000-mapping.dmp

Download
memory/4876-159-0x0000000006220000-0x00000000063E7000-memory.dmp

Filesize
1.8MB

Download
memory/4876-167-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/4876-135-0x0000000000000000-mapping.dmp

Download
memory/4968-296-0x0000000000000000-mapping.dmp

Download
memory/5100-230-0x0000000000000000-mapping.dmp

Download
memory/5108-231-0x0000000000000000-mapping.dmp

Download