asyncrat | hxxps://download[.]peoplecert[.]org/files/ExamShieldLauncher[.]exe?id=anonymous

Analysis

max time kernel
137s
max time network
140s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.peoplecert.org/files/ExamShieldLauncher.exe?id=anonymous

Score

10^/10

asyncrat discovery evasion persistence privilege_escalation rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4684	netsh.exe
5000	netsh.exe
4856	netsh.exe
3572	netsh.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SYSTEMBIOSVERSION	ExamShield.exe

Executes dropped EXE 14 IoCs

pid	Process
1504	ExamShieldLauncher.exe
2140	ExamShieldSetup.exe
5052	ExamShieldSetup.exe
2016	ISBEW64.exe
3900	ISBEW64.exe
3612	ISBEW64.exe
332	ISBEW64.exe
1908	ISBEW64.exe
3284	ISBEW64.exe
5028	ISBEW64.exe
2452	ISBEW64.exe
4828	ISBEW64.exe
4568	ISBEW64.exe
3360	ExamShield.exe

Loads dropped DLL 14 IoCs

pid	Process
5052	ExamShieldSetup.exe
3120	MsiExec.exe
3120	MsiExec.exe
5052	ExamShieldSetup.exe
5052	ExamShieldSetup.exe
5052	ExamShieldSetup.exe
5052	ExamShieldSetup.exe
5052	ExamShieldSetup.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
4072	MsiExec.exe
3360	ExamShield.exe
3360	ExamShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	ExamShieldSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	ExamShieldSetup.exe
File opened (read-only)	\??\X:	ExamShieldSetup.exe
File opened (read-only)	\??\Y:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	ExamShieldSetup.exe
File opened (read-only)	\??\J:	ExamShieldSetup.exe
File opened (read-only)	\??\V:	ExamShieldSetup.exe
File opened (read-only)	\??\W:	ExamShieldSetup.exe
File opened (read-only)	\??\Z:	ExamShieldSetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	ExamShieldSetup.exe
File opened (read-only)	\??\P:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	ExamShieldSetup.exe
File opened (read-only)	\??\U:	ExamShieldSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3360	ExamShield.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI999C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFD8C755CD417A972.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F6C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1C1D880E65D349CE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5894e8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97B7.tmp	msiexec.exe
File created	C:\Windows\Installer\e5894ea.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6E6ED1AD6FDD444D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE79369747574F62B.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D48.tmp	msiexec.exe
File created	C:\Windows\Installer\e5894e8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 14 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1520	NETSTAT.EXE
3060	NETSTAT.EXE
3508	NETSTAT.EXE
1908	NETSTAT.EXE
3620	NETSTAT.EXE
4828	NETSTAT.EXE
4648	NETSTAT.EXE
3868	NETSTAT.EXE
4652	NETSTAT.EXE
1908	NETSTAT.EXE
1124	NETSTAT.EXE
4376	NETSTAT.EXE
520	NETSTAT.EXE
3784	NETSTAT.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command\	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\ = "URL:examshield"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1"	ExamShieldSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 71838.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ExamShieldLauncher.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldLauncher.exe\:SmartScreen:$DATA	ExamShieldLauncher.exe
File created	C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldLauncher.exe\:Zone.Identifier:$DATA	ExamShieldLauncher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	msedge.exe
1476	msedge.exe
2432	msedge.exe
2432	msedge.exe
1120	identity_helper.exe
1120	identity_helper.exe
4344	msedge.exe
4344	msedge.exe
1376	msedge.exe
1376	msedge.exe
5052	ExamShieldSetup.exe
5052	ExamShieldSetup.exe
3404	msiexec.exe
3404	msiexec.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe
3360	ExamShield.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3404	msiexec.exe
Token: SeCreateTokenPrivilege	5052	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	5052	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	5052	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	5052	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	5052	ExamShieldSetup.exe
Token: SeTcbPrivilege	5052	ExamShieldSetup.exe
Token: SeSecurityPrivilege	5052	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	5052	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	5052	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	5052	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	5052	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	5052	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	5052	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	5052	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	5052	ExamShieldSetup.exe
Token: SeBackupPrivilege	5052	ExamShieldSetup.exe
Token: SeRestorePrivilege	5052	ExamShieldSetup.exe
Token: SeShutdownPrivilege	5052	ExamShieldSetup.exe
Token: SeDebugPrivilege	5052	ExamShieldSetup.exe
Token: SeAuditPrivilege	5052	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	5052	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	5052	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	5052	ExamShieldSetup.exe
Token: SeUndockPrivilege	5052	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	5052	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	5052	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	5052	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	5052	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	5052	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	5052	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	5052	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	5052	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	5052	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	5052	ExamShieldSetup.exe
Token: SeTcbPrivilege	5052	ExamShieldSetup.exe
Token: SeSecurityPrivilege	5052	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	5052	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	5052	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	5052	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	5052	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	5052	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	5052	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	5052	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	5052	ExamShieldSetup.exe
Token: SeBackupPrivilege	5052	ExamShieldSetup.exe
Token: SeRestorePrivilege	5052	ExamShieldSetup.exe
Token: SeShutdownPrivilege	5052	ExamShieldSetup.exe
Token: SeDebugPrivilege	5052	ExamShieldSetup.exe
Token: SeAuditPrivilege	5052	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	5052	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	5052	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	5052	ExamShieldSetup.exe
Token: SeUndockPrivilege	5052	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	5052	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	5052	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	5052	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	5052	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	5052	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	5052	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	5052	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	5052	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	5052	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	5052	ExamShieldSetup.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2804	msiexec.exe
2804	msiexec.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1504	ExamShieldLauncher.exe
1504	ExamShieldLauncher.exe
1504	ExamShieldLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4068	2432	msedge.exe	80
PID 2432 wrote to memory of 4068	2432	msedge.exe	80
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 4796	2432	msedge.exe	81
PID 2432 wrote to memory of 1476	2432	msedge.exe	82
PID 2432 wrote to memory of 1476	2432	msedge.exe	82
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83
PID 2432 wrote to memory of 3444	2432	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.peoplecert.org/files/ExamShieldLauncher.exe?id=anonymous
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff844dc3cb8,0x7ff844dc3cc8,0x7ff844dc3cd8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Users\Admin\Downloads\ExamShieldLauncher.exe
  "C:\Users\Admin\Downloads\ExamShieldLauncher.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1504
- - C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
    "C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"
    3⤵
    - Executes dropped EXE
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\ExamShieldSetup.exe
      C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}" /z" LAUNCHEXAMSHIELD" /IS_temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies registry class
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{083414F6-DDC5-4057-AC58-9A10707A1483}
        5⤵
        Executes dropped EXE
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4921FF66-6DDF-40DE-9968-3DD4E2F0A22A}
        5⤵
        Executes dropped EXE
        
        PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3158FD31-36CA-4446-91F6-8FEFF6B8D66E}
        5⤵
        Executes dropped EXE
        
        PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51D3E71E-C266-4345-9FCF-AC7F2BEB4125}
        5⤵
        Executes dropped EXE
        
        PID:332
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A5497EC2-3A20-4786-B6EA-F3832A044128}
        5⤵
        Executes dropped EXE
        
        PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7CBDC4EA-97A3-48C8-A3D3-D18F0B26291A}
        5⤵
        Executes dropped EXE
        
        PID:3284
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{23342C2A-4417-4803-929F-989B2E2A1EF6}
        5⤵
        Executes dropped EXE
        
        PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C3403E2-AAD4-4DB7-87CB-6FF38CF9650D}
        5⤵
        Executes dropped EXE
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08BD9F69-452A-4946-BC15-541B73E40069}
        5⤵
        Executes dropped EXE
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe
        
        C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F0E8D198-E7F4-4C20-9FB8-4A4A8395846F}
        5⤵
        Executes dropped EXE
        
        PID:4568
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="IN"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""
        5⤵
        
        PID:2932
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="OUT"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
        5⤵
        
        PID:440
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3572
    - - C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
        
        C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3360
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:3900
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:520
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:3364
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:3620
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:1908
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:4652
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:2492
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:3784
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:5052
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:1908
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:2104
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:3868
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:3808
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:1124
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:4464
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:1520
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:1964
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:3060
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:5028
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:4376
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:4848
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:3508
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:3552
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:4828
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:2312
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:4648
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        6⤵
        
        PID:2560
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}"
        5⤵
        
        PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 73746888ADE1C072B99483538C1BA6C2 C
  2⤵
  - Loads dropped DLL
  PID:3120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A104E6FC0EDCDB72CCE6D31EBDF0B178
  2⤵
  - Loads dropped DLL
  PID:4072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5894e9.rbs

Filesize
13KB

MD5
fd6317f40acfae7ca2a878dfea34936f

SHA1
8da8826ac8347eae883dc2d9a6791ec5182bbcb0

SHA256
6ecd301641fd4de4610bdcaf81e984cec71f363a889489f53b9b9042b6dc0459

SHA512
ecdc7b587cd6311869644da4ca9447259ca268ca96291536e8b4ce7ed162f34b828d1ea1a2ff5effb4848c3e4b44890a6a6747f60952e90714a523408aa35308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
727B

MD5
6f9bfb5d4a572c225a6f0430c826d4c1

SHA1
258c43e4432f9eb27c80eb0c1d64733c7dcfe403

SHA256
c1b82b4c1eca07fa25767146e20bb0766d7e9a37001375faaa0bf188df9ceb68

SHA512
089c4acbe81f5fe03618b9f24ba6ce89180a38fa4bcd51bdddab17a554a61861bffdc457dfc778abac1d5d36cfd42d643a0aa411156b7c2b2fa732cbeaa57f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
408B

MD5
e0ed9524bc12ebc6ea31bdb4b2c06581

SHA1
e1687fdfe97a6041df476310215d398feb888eab

SHA256
1325343b4cd75e9327b6f2cfcb03718786668628254bd15ad5fc05052d0bcc8b

SHA512
07dd661ca6996eca4019c714d9feb98b7dd97d6b59cf1efb2a95f747e6f781516c07b45ca67cfce382d40081d9257c80a84e36368c12ad8bd441c2ba495a5609

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe

Filesize
41.8MB

MD5
cf885b0cf0bcd2e7ceba26f9091c5f6f

SHA1
57af3552fb6a4c212f41bb19dc6e9645e72cfc3d

SHA256
4e0d4aa9e02d0d32fc5d4644df7d594eea9908606eecdcd093f7275155468cc3

SHA512
e8b00ede3e2253db2b708f3d4427705480326619ecea66835c854f3aed38908cb0e5d77d96ce14103d8a6ed8a8f46adc6bcee3613bf340c603e8537a22f98cde

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat

Filesize
103B

MD5
ca0a346e58cc7f177fe9ab3a7abaff46

SHA1
0f5ed1b10b848731b7a7e19ac799b46c7eaaec44

SHA256
f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011

SHA512
858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat

Filesize
73B

MD5
10db042a6c5c43a13106a70f42c9eae0

SHA1
6351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9

SHA256
34b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74

SHA512
d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\settings.dat

Filesize
208B

MD5
417634108bb920015c2ae792867f3ca6

SHA1
738777529d30b923018a5f4101561f1bbedd74b7

SHA256
0e698faefaa0de209a076923424b431696857425407cdb65025c1732bc59d091

SHA512
12b1d0b4539fa9cbf1c950f30a11859416ad84f7a358fc7cc5eb29a21c3629208b69e9e0a36d1c1398a1387e77ef6f1ed84f4fdb0c04e6668fff664d509adfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1998107017edc46fed4599ad24cfe53

SHA1
47e92f0646f0de9241c59f88e0c10561a2236b5e

SHA256
cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa

SHA512
ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21cf39beee4d807318a05a10dc3f1bf3

SHA1
01ef7fc09919eb33292a76934d3f2b5ba248f79c

SHA256
b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939

SHA512
0baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
191B

MD5
8cb97e507f6211cb4c573183c27f9c57

SHA1
84f8dfd3b274d53ea693e223d248331526d19a3e

SHA256
eb1b7575bc3e4fff262f68e66ee9b58d429f17249d5526516a38839f0def7cf8

SHA512
2aa59d9d7bd15d62ec82bcdddcc3346663d42b24f165ead25b1a7b6c5e66277baf3e849b2a5297da227e5a9ccff85706d01cc2d5a8f9acfe0f545a6ccf89094f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
baf335496c8394967f172e37daa18579

SHA1
ab699d6b9b0dbefef40a14c85220d954540f65b5

SHA256
3da604116921967153bdd75905858f948b465446f87fec86db16e6806d33c01d

SHA512
35999f40f279e7ee6cdfd5c46240c3bf1a1327a0eb2d0c8bb425322ad0a6064f922b3e17f591f882153059be63c861ebf052e97a3e3ed4b9864d4b73c266a6de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d5e10496293876adbdffdeadb85f7d4

SHA1
f0f452cc09a7593a7f8589d449240e0552af84dd

SHA256
952ca669df92c6fc52743c90b07b1e69ed998c3aa964e7a51ec0648120648ec2

SHA512
c94718378e055c8860eb7536f8166adc14d0429635577a9704ff2b0f38d36c23d8501a1eee2594314444ea2d6819807a64c85f05cb2e7d15bdfc31b0f5cb983b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6bef3ab82ae9cfd7b8f247c290685cc9

SHA1
ac8753e3324eb6b109c6bbf8795e86c00c62b8f8

SHA256
52056a0e98080c56af25a7c6a42fa1d20edc80d262260cb19754fbc0bcf675a7

SHA512
2007dda1844103a8286d5510447a45de29e2aee9f8034c15b99bab29528318843367438e1d499bd4e26a30e5d97f0ac97af21a39617ce58671a2b244ff1a9505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2dfe5184f35a0ecb14d4a9eda90f00cc

SHA1
3f30dbe7610f055202094825cee672dbaa92f46c

SHA256
b09e2221d04b64d3ca190c3a8e9590321f17ce53ba5ce3a622861f32f5971abf

SHA512
1bf3b285a21a4505a1644b524fccc68abfadccf621baeec54a9530ac9b68eb90706e1319a89f8234e8a76a45cc709076eeb9d30189e3fee6d7f561ebd6d3eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt

Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86A9.tmp

Filesize
832KB

MD5
913b6675436bf50376f6a56a396e18d2

SHA1
d3298e7c8165bdb6e175031e028f5a146bda7806

SHA256
74248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7

SHA512
281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is7D6B..dll

Filesize
2.7MB

MD5
204430c922db9a71b05c6ecc5a75a0c8

SHA1
2df84dfa1ea76717281f9ef2a04f0430ba9e92fe

SHA256
c842b222ff253e85483b6247c7a16beade1d999d134ceffc42b0c26b9c934b94

SHA512
b1748a9efa21894a1cbd0bd40394384d5e80458385b82a3d819669a3171275b6f2c0e6dfc56101b15df8553e63a22fb4130ab4de882bc23cb564341c2c123d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss8010.tmp

Filesize
3.6MB

MD5
eea876cf48e4eddc5907867bce679bbe

SHA1
7381ad4fe632df9865d1e4dac2eee83d8b2ce294

SHA256
6a31175cb45f6c0adbaed3e126c580bbff491a302b3840250c3bb883a713fe2f

SHA512
f9eb2b256f2771fd9d9302883359ba9173d3bc59d6ee19a831fbfc3269fa1bd39ad5fff480e3669fe8aca4a477da85d8ffe25e39f01473babd5eec9077c33e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\ExamShield.msi

Filesize
28.6MB

MD5
189937fa174292d114c512003653b1f0

SHA1
3ba0887fbdc60c429f5f164366dfe1a20cf75420

SHA256
12400e1144a459b122e5559f76b46be1caf89b2e0dd72ac0f12887d52489c171

SHA512
a088ce606865b6bc71c4d5403cb905b9be634fee722da1ea37f877191acfabe501a4eff6e6fbb52526b4300354da6d90743ab327ed527489ea4b51fd0aa4bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\IsConfig.ini

Filesize
167B

MD5
76160c408a8fb519732e1c8b0b003e98

SHA1
b4eb261da32df4de3d393a9ccb44015907ae8aa6

SHA256
ae4b56d4ec1a107c6322841460f77ee0888c0d6aa412b9ba008db2ef419cee5e

SHA512
2c9835e2f4132d6f3ebbe67587673f93ab1be4e3e027f748527bed942a17b4f87f1efd9bc5f0219ab41311cfab29f341a0b9bedead264286e2649640553f315e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\_ISMSIDEL.INI

Filesize
632B

MD5
20b1a55469e7fdb49248b7beecf0f1d2

SHA1
ff0f3334841874a275ae200174465309f8afa7be

SHA256
7461fcd1a07708e1478fc9811b5a597dc86c63bfb8dbc8cabd7b930e8b717c38

SHA512
5546ee937e5d32f88bd1709313ee5d5aca16437f8d0509e17dc4b24432a3240c2d09b7b47f6c3c4a6ba09249db5c9b6b5dc9b3cc23d6115b26cfaec7d661a590

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\_ISMSIDEL.INI

Filesize
5KB

MD5
f06a1f36f9a0c6b462ac03e221a80128

SHA1
b0841d43aecc9682fb5e6026c8c87862e95f1de1

SHA256
fc68ada6f2e177c6e63990db4ebb9c78a1a78f7639a8c9154354fee1b1b07af8

SHA512
226a62d7dc41cb591d74592f9e6e830faf0024cb8978e82b27a72cbf543385cea863e1d8f7d8e22311fdcc8064766f272fdcbdbdd08698a9d7e7b65a19b04be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\_ISMSIDEL.INI

Filesize
272B

MD5
94d9940c66438fbe2c24274d0862ea09

SHA1
c989bd40c5483db858e7d5f87d03257b0d53d365

SHA256
cd0177ea7f3bc1fe3379044ef4a3ac7fc2b4e19adee572541aac047a19f1ca6a

SHA512
08218df9876f39f1ef75ca0785cc64d1317bdcd5bc0a199cb1774285c96bd6c191c0fd1a3a95bd829ae9fa8f8bc40127f054dcd9231c3ed98fa18e90dbd9dea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe

Filesize
198KB

MD5
28857f9a5dc8af367e533076267f5b4d

SHA1
ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa

SHA256
9523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee

SHA512
8989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISRT.dll

Filesize
1.1MB

MD5
ff43031211486580947f25f293b8125b

SHA1
31030ea85fce86a7679f80771838d58df631c28c

SHA256
423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0

SHA512
42196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\_isres_0x0409.dll

Filesize
1.8MB

MD5
8afdae8fe83d1a813b54e48230aed2db

SHA1
ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c

SHA256
d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6

SHA512
fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\_isuser_0x0409.dll

Filesize
597KB

MD5
1fc83481da22b0fadd026b0f4ce069d2

SHA1
60070a10654f5f295652ae7ef1f57a1d9f545548

SHA256
0f92b9a5104988cc971d709ee8eac0e64d80d12a6736438dc8036619b5599f99

SHA512
ee65a78479957356aca7d5b4fcb419062595f4691a2aba97daf0249f208c02a6c6e6f8856b8c2932fccb933ee987e5b63a20e10cc7143015cda12b722ce0c4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5FE0.tmp

Filesize
6KB

MD5
ee1b87207cf78395e6541d14407fed5d

SHA1
491986421eb41eb48c02235b81faecee0ffc01ef

SHA256
161c415e795723cc7c62e04be418240ccda56f7f3f144c974e97830360c0cf30

SHA512
c4353bff531fcac47a52450f0c00899d94baf6a60a7e2fd1d18bfcf105e1772b58dcf6a5cb6ad01de738fde5612f3803fba4ed4ef43bf3efcb058ca4a1c38776

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.exe

Filesize
1.3MB

MD5
e9139c4ac957bb0b4ff13172d96ae664

SHA1
ef20e921bf6f3c0423db373accb57011537b55bc

SHA256
3201afbb20c3855e311d003d69afbeaed492cb5bc549a1c759703cd7560d0300

SHA512
8c0a5e7ca088f323a673604d311c341fab085a3f889d1c7f4bc72c260953732b7a530ec9536a18b7889e6f7a9b9640ecc5353aa04d92e26002fc8f7017f43e92

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.ini

Filesize
5KB

MD5
e737da741ac99cda6a1bf7f2857c9432

SHA1
a87f19808d410b9d5f824b798d4b2c51f66d31f2

SHA256
0fbf14482a7598a10acb65219949f2c6f9b692af9fd14760ba1c8f71b20564bc

SHA512
187c33961c7ff4d189d8de490dfb3e41429210145a22bcf0ac733c33e49af766a9661aadc64f5c0a7006de1653e525f15f80171a25e93c2967630880d6d86538

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll

Filesize
17KB

MD5
cbf3371bf4b1543c8beaf215bb674c14

SHA1
601eb169552f053d35730840ab5ab0042c3e4631

SHA256
012ea7bf952759f4bd52cc59f34b686949e10cb07eb293863649acbc275ed1fa

SHA512
446803c28352ad7ec53b59732485dbf781615a716bbdfac94e722e4afcb9bdd905d34b51b3e9bf98c26834599f9d0d5de3184607f66146d53cde40a6be36c5a2

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe

Filesize
19.5MB

MD5
e05259256d03f5211455de7d65d2a0e8

SHA1
edc53bb2dfddbfdfdebf728c823d622554843ded

SHA256
547371c9b9bb73581773d2d5cb69f483311f256062a5d9ae37f5bb3389dc14d1

SHA512
252be33a4fd9ffba35aa3305bd77035556608e1ff9365ad9466aabcf8f6efb394bbac52e8a06680f3f9d8bfaee45345cc37f8f85b69c0ba24daea913791fb0d9

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\VP8.dll

Filesize
447KB

MD5
2319331fd9f77352804c3faf6cd3ebae

SHA1
35757a3ac4c6af5e81357f18f04f9f01614a7dfe

SHA256
f20ae03124000f8f1c12dc94a90239c684d78c682245362a0f6db26acd3250fa

SHA512
75124f0bc0bc95b03d569a2832a5772df008f7872744c77e6b95a766d9dfa438f5d2f665cd052c797df03e521e820f16e19bfbf829b6d32d258acb139da18fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\opusGeneric.dll

Filesize
361KB

MD5
cd1a3dac0e30d4d149a24c7757fd2c64

SHA1
5c54a6d4ce7feef79d708e4970f1f426ca71d546

SHA256
d74b6cac599489be70ecc11dc4cf60b09dc5455537799d7dcb29aab5ae3f5d48

SHA512
31d6bbfb1509cd90521b97066a6e3bd4223d5ed6f946b9c90f1c4cc75fac1077060442dee2162bd9a805abb83c26e4f2b722c44e81c6a4aa46e34b736f9129a5

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\uninstall.ico

Filesize
24KB

MD5
279e6e80c39add675219c447f9c1f381

SHA1
8287588124e8f8a6c94435e44344e3ee7062c4be

SHA256
22af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527

SHA512
477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce

Download Submit
C:\Users\Admin\Downloads\ExamShieldLauncher.exe

Filesize
3.5MB

MD5
3d65c83ef6cd531b1cea119ebaed6d4e

SHA1
dd34510ec94ccca3aad65d9956e62d99e214e9f8

SHA256
13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0

SHA512
a49634306f748433821dc246fe4624cb8f9ed1ba721ecb14ebddac9b13403d33cf58136bd2076d43abd40240166e96f91a14092b89fb962ab67fb69dd5711271

Download Submit
C:\Users\Admin\Downloads\ExamShieldLauncher.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Installer\MSI999C.tmp

Filesize
626KB

MD5
95bf357fe831c0a89c6a3e3044660e94

SHA1
fa10a0dc55062b5a102eed06344491dc4adbff61

SHA256
2d6216e7a67b854e2048d10d3bc49dca7bd9fe814516cf25ea4800fb3ddea483

SHA512
191cc3661bb9c8012f35e71211c84d3c81968154fff140b965e164549d15d2ba42a4f55f33feae32cc547df4e02c1e9d905552ace929739c0fea1d2a5d3aadcf

Download Submit
memory/3360-668-0x000000000D320000-0x000000000D368000-memory.dmp

Filesize
288KB

Download
memory/3360-718-0x0000000076090000-0x000000007618E000-memory.dmp

Filesize
1016KB

Download
memory/3360-631-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3360-632-0x0000000077880000-0x0000000077AD2000-memory.dmp

Filesize
2.3MB

Download
memory/3360-633-0x00000000774A0000-0x000000007772B000-memory.dmp

Filesize
2.5MB

Download
memory/3360-634-0x0000000077730000-0x000000007787D000-memory.dmp

Filesize
1.3MB

Download
memory/3360-629-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-640-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-641-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-642-0x00000000753A0000-0x000000007542A000-memory.dmp

Filesize
552KB

Download
memory/3360-643-0x0000000005680000-0x00000000056AA000-memory.dmp

Filesize
168KB

Download
memory/3360-644-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/3360-646-0x0000000005B40000-0x0000000005C76000-memory.dmp

Filesize
1.2MB

Download
memory/3360-645-0x00000000060F0000-0x0000000006696000-memory.dmp

Filesize
5.6MB

Download
memory/3360-648-0x0000000005AB0000-0x0000000005AC6000-memory.dmp

Filesize
88KB

Download
memory/3360-647-0x0000000005C80000-0x0000000005FD7000-memory.dmp

Filesize
3.3MB

Download
memory/3360-649-0x00000000066A0000-0x00000000066B2000-memory.dmp

Filesize
72KB

Download
memory/3360-650-0x0000000008ED0000-0x0000000008F62000-memory.dmp

Filesize
584KB

Download
memory/3360-653-0x0000000006040000-0x0000000006096000-memory.dmp

Filesize
344KB

Download
memory/3360-652-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

Filesize
40KB

Download
memory/3360-654-0x0000000005AF0000-0x0000000005AFE000-memory.dmp

Filesize
56KB

Download
memory/3360-651-0x0000000076B50000-0x0000000077152000-memory.dmp

Filesize
6.0MB

Download
memory/3360-656-0x0000000009880000-0x00000000098E6000-memory.dmp

Filesize
408KB

Download
memory/3360-657-0x0000000009D80000-0x0000000009E4E000-memory.dmp

Filesize
824KB

Download
memory/3360-664-0x000000000A430000-0x000000000A43A000-memory.dmp

Filesize
40KB

Download
memory/3360-663-0x000000000A300000-0x000000000A412000-memory.dmp

Filesize
1.1MB

Download
memory/3360-662-0x000000000A2B0000-0x000000000A2BA000-memory.dmp

Filesize
40KB

Download
memory/3360-665-0x000000000B350000-0x000000000B394000-memory.dmp

Filesize
272KB

Download
memory/3360-666-0x000000000CD70000-0x000000000CD92000-memory.dmp

Filesize
136KB

Download
memory/3360-519-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-667-0x000000000D1E0000-0x000000000D1EE000-memory.dmp

Filesize
56KB

Download
memory/3360-1108-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-692-0x000000006F490000-0x000000006F6B3000-memory.dmp

Filesize
2.1MB

Download
memory/3360-695-0x0000000077880000-0x0000000077AD2000-memory.dmp

Filesize
2.3MB

Download
memory/3360-697-0x0000000076890000-0x00000000768B2000-memory.dmp

Filesize
136KB

Download
memory/3360-707-0x0000000075520000-0x0000000075528000-memory.dmp

Filesize
32KB

Download
memory/3360-711-0x0000000077730000-0x000000007787D000-memory.dmp

Filesize
1.3MB

Download
memory/3360-716-0x0000000075340000-0x0000000075355000-memory.dmp

Filesize
84KB

Download
memory/3360-730-0x000000006F6C0000-0x000000006F96B000-memory.dmp

Filesize
2.7MB

Download
memory/3360-729-0x00000000771F0000-0x0000000077241000-memory.dmp

Filesize
324KB

Download
memory/3360-726-0x000000006F970000-0x000000006FB12000-memory.dmp

Filesize
1.6MB

Download
memory/3360-733-0x000000006F030000-0x000000006F04F000-memory.dmp

Filesize
124KB

Download
memory/3360-694-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-732-0x000000006F050000-0x000000006F39E000-memory.dmp

Filesize
3.3MB

Download
memory/3360-728-0x00000000741A0000-0x00000000741AB000-memory.dmp

Filesize
44KB

Download
memory/3360-727-0x00000000741B0000-0x00000000741CD000-memory.dmp

Filesize
116KB

Download
memory/3360-722-0x0000000072B80000-0x0000000073005000-memory.dmp

Filesize
4.5MB

Download
memory/3360-725-0x00000000744F0000-0x00000000744FA000-memory.dmp

Filesize
40KB

Download
memory/3360-724-0x000000006FD40000-0x000000006FEAB000-memory.dmp

Filesize
1.4MB

Download
memory/3360-721-0x00000000749B0000-0x00000000749D1000-memory.dmp

Filesize
132KB

Download
memory/3360-719-0x0000000074DF0000-0x0000000074EF5000-memory.dmp

Filesize
1.0MB

Download
memory/3360-630-0x0000000005340000-0x0000000005387000-memory.dmp

Filesize
284KB

Download
memory/3360-717-0x0000000076360000-0x00000000763C4000-memory.dmp

Filesize
400KB

Download
memory/3360-715-0x0000000075360000-0x0000000075397000-memory.dmp

Filesize
220KB

Download
memory/3360-714-0x0000000075530000-0x0000000075549000-memory.dmp

Filesize
100KB

Download
memory/3360-713-0x00000000761F0000-0x000000007628C000-memory.dmp

Filesize
624KB

Download
memory/3360-709-0x0000000074FB0000-0x0000000074FC4000-memory.dmp

Filesize
80KB

Download
memory/3360-708-0x0000000072260000-0x0000000072A11000-memory.dmp

Filesize
7.7MB

Download
memory/3360-723-0x00000000741D0000-0x00000000743FE000-memory.dmp

Filesize
2.2MB

Download
memory/3360-720-0x0000000077490000-0x0000000077496000-memory.dmp

Filesize
24KB

Download
memory/3360-712-0x00000000753A0000-0x000000007542A000-memory.dmp

Filesize
552KB

Download
memory/3360-710-0x0000000074F00000-0x0000000074FAB000-memory.dmp

Filesize
684KB

Download
memory/3360-698-0x0000000075880000-0x00000000758FB000-memory.dmp

Filesize
492KB

Download
memory/3360-706-0x0000000074120000-0x0000000074132000-memory.dmp

Filesize
72KB

Download
memory/3360-705-0x0000000074FD0000-0x000000007505D000-memory.dmp

Filesize
564KB

Download
memory/3360-702-0x0000000074500000-0x0000000074554000-memory.dmp

Filesize
336KB

Download
memory/3360-704-0x00000000774A0000-0x000000007772B000-memory.dmp

Filesize
2.5MB

Download
memory/3360-703-0x0000000075430000-0x00000000754B2000-memory.dmp

Filesize
520KB

Download
memory/3360-700-0x00000000767D0000-0x000000007688B000-memory.dmp

Filesize
748KB

Download
memory/3360-699-0x0000000075A40000-0x0000000075A8A000-memory.dmp

Filesize
296KB

Download
memory/3360-696-0x00000000763D0000-0x0000000076492000-memory.dmp

Filesize
776KB

Download
memory/3360-734-0x000000000DB10000-0x000000000DB56000-memory.dmp

Filesize
280KB

Download
memory/3360-737-0x0000000077880000-0x0000000077AD2000-memory.dmp

Filesize
2.3MB

Download
memory/3360-746-0x00000000774A0000-0x000000007772B000-memory.dmp

Filesize
2.5MB

Download
memory/3360-745-0x0000000075430000-0x00000000754B2000-memory.dmp

Filesize
520KB

Download
memory/3360-744-0x0000000074500000-0x0000000074554000-memory.dmp

Filesize
336KB

Download
memory/3360-742-0x00000000767D0000-0x000000007688B000-memory.dmp

Filesize
748KB

Download
memory/3360-738-0x00000000763D0000-0x0000000076492000-memory.dmp

Filesize
776KB

Download
memory/3360-821-0x0000000000570000-0x0000000003216000-memory.dmp

Filesize
44.6MB

Download
memory/3360-866-0x00000000067E0000-0x00000000067F2000-memory.dmp

Filesize
72KB

Download
memory/3360-867-0x000000000D650000-0x000000000D6AA000-memory.dmp

Filesize
360KB

Download
memory/3360-868-0x000000000F500000-0x000000000FB18000-memory.dmp

Filesize
6.1MB

Download
memory/3360-869-0x000000000D6D0000-0x000000000D6E2000-memory.dmp

Filesize
72KB

Download
memory/3360-870-0x000000000D730000-0x000000000D76C000-memory.dmp

Filesize
240KB

Download
memory/3360-871-0x000000000D770000-0x000000000D7BC000-memory.dmp

Filesize
304KB

Download
memory/3360-872-0x000000000D8F0000-0x000000000D9FA000-memory.dmp

Filesize
1.0MB

Download
memory/3360-873-0x000000000D8D0000-0x000000000D8DA000-memory.dmp

Filesize
40KB

Download
memory/3360-921-0x000000000F260000-0x000000000F270000-memory.dmp

Filesize
64KB

Download
memory/3360-920-0x000000000F200000-0x000000000F24E000-memory.dmp

Filesize
312KB

Download
memory/3360-919-0x000000000DBA0000-0x000000000DBB6000-memory.dmp

Filesize
88KB

Download
memory/3360-923-0x0000000010520000-0x0000000010554000-memory.dmp

Filesize
208KB

Download
memory/3360-924-0x000000000F4E0000-0x000000000F4FA000-memory.dmp

Filesize
104KB

Download
memory/3360-925-0x0000000010550000-0x0000000010568000-memory.dmp

Filesize
96KB

Download
memory/3360-926-0x0000000010580000-0x0000000010672000-memory.dmp

Filesize
968KB

Download
memory/3360-927-0x0000000010760000-0x000000001082E000-memory.dmp

Filesize
824KB

Download
memory/3360-928-0x00000000112E0000-0x0000000011390000-memory.dmp

Filesize
704KB

Download
memory/3360-929-0x00000000113E0000-0x00000000113F2000-memory.dmp

Filesize
72KB

Download
memory/3360-930-0x0000000014110000-0x000000001463C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-1054-0x0000000006760000-0x000000000676C000-memory.dmp

Filesize
48KB

Download
memory/3360-1052-0x0000000006740000-0x0000000006754000-memory.dmp

Filesize
80KB

Download
memory/3360-1053-0x0000000006750000-0x0000000006762000-memory.dmp

Filesize
72KB

Download
memory/3404-506-0x000001E12C230000-0x000001E12CCF2000-memory.dmp

Filesize
10.8MB

Download
memory/5052-374-0x0000000005A00000-0x0000000005BC7000-memory.dmp

Filesize
1.8MB

Download