Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/07/2024, 09:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://download.peoplecert.org/files/ExamShieldLauncher.exe?id=anonymous
Resource
win11-20240709-en
General
-
Target
https://download.peoplecert.org/files/ExamShieldLauncher.exe?id=anonymous
Malware Config
Signatures
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 4684 netsh.exe 5000 netsh.exe 4856 netsh.exe 3572 netsh.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SYSTEMBIOSVERSION ExamShield.exe -
Executes dropped EXE 14 IoCs
pid Process 1504 ExamShieldLauncher.exe 2140 ExamShieldSetup.exe 5052 ExamShieldSetup.exe 2016 ISBEW64.exe 3900 ISBEW64.exe 3612 ISBEW64.exe 332 ISBEW64.exe 1908 ISBEW64.exe 3284 ISBEW64.exe 5028 ISBEW64.exe 2452 ISBEW64.exe 4828 ISBEW64.exe 4568 ISBEW64.exe 3360 ExamShield.exe -
Loads dropped DLL 14 IoCs
pid Process 5052 ExamShieldSetup.exe 3120 MsiExec.exe 3120 MsiExec.exe 5052 ExamShieldSetup.exe 5052 ExamShieldSetup.exe 5052 ExamShieldSetup.exe 5052 ExamShieldSetup.exe 5052 ExamShieldSetup.exe 4072 MsiExec.exe 4072 MsiExec.exe 4072 MsiExec.exe 4072 MsiExec.exe 3360 ExamShield.exe 3360 ExamShield.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: ExamShieldSetup.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: ExamShieldSetup.exe File opened (read-only) \??\G: ExamShieldSetup.exe File opened (read-only) \??\T: ExamShieldSetup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: ExamShieldSetup.exe File opened (read-only) \??\O: ExamShieldSetup.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: ExamShieldSetup.exe File opened (read-only) \??\Q: ExamShieldSetup.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: ExamShieldSetup.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: ExamShieldSetup.exe File opened (read-only) \??\N: ExamShieldSetup.exe File opened (read-only) \??\X: ExamShieldSetup.exe File opened (read-only) \??\Y: ExamShieldSetup.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: ExamShieldSetup.exe File opened (read-only) \??\H: ExamShieldSetup.exe File opened (read-only) \??\J: ExamShieldSetup.exe File opened (read-only) \??\V: ExamShieldSetup.exe File opened (read-only) \??\W: ExamShieldSetup.exe File opened (read-only) \??\Z: ExamShieldSetup.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: ExamShieldSetup.exe File opened (read-only) \??\P: ExamShieldSetup.exe File opened (read-only) \??\S: ExamShieldSetup.exe File opened (read-only) \??\U: ExamShieldSetup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3360 ExamShield.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB} msiexec.exe File opened for modification C:\Windows\Installer\MSI999C.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFFD8C755CD417A972.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI9F6C.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF1C1D880E65D349CE.TMP msiexec.exe File opened for modification C:\Windows\Installer\e5894e8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI97B7.tmp msiexec.exe File created C:\Windows\Installer\e5894ea.msi msiexec.exe File created C:\Windows\SystemTemp\~DF6E6ED1AD6FDD444D.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFE79369747574F62B.TMP msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI99DC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D48.tmp msiexec.exe File created C:\Windows\Installer\e5894e8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 14 IoCs
Uses commandline utility to view network configuration.
pid Process 1520 NETSTAT.EXE 3060 NETSTAT.EXE 3508 NETSTAT.EXE 1908 NETSTAT.EXE 3620 NETSTAT.EXE 4828 NETSTAT.EXE 4648 NETSTAT.EXE 3868 NETSTAT.EXE 4652 NETSTAT.EXE 1908 NETSTAT.EXE 1124 NETSTAT.EXE 4376 NETSTAT.EXE 520 NETSTAT.EXE 3784 NETSTAT.EXE -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\DefaultIcon msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command\ msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield ExamShieldSetup.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open ExamShieldSetup.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell ExamShieldSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\ = "URL:examshield" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\URL Protocol msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command ExamShieldSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1" ExamShieldSetup.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e ExamShieldSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e ExamShieldSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 ExamShieldSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e ExamShieldSetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e ExamShieldSetup.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 71838.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\ExamShieldLauncher.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldLauncher.exe\:SmartScreen:$DATA ExamShieldLauncher.exe File created C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldLauncher.exe\:Zone.Identifier:$DATA ExamShieldLauncher.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1476 msedge.exe 1476 msedge.exe 2432 msedge.exe 2432 msedge.exe 1120 identity_helper.exe 1120 identity_helper.exe 4344 msedge.exe 4344 msedge.exe 1376 msedge.exe 1376 msedge.exe 5052 ExamShieldSetup.exe 5052 ExamShieldSetup.exe 3404 msiexec.exe 3404 msiexec.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe 3360 ExamShield.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3404 msiexec.exe Token: SeCreateTokenPrivilege 5052 ExamShieldSetup.exe Token: SeAssignPrimaryTokenPrivilege 5052 ExamShieldSetup.exe Token: SeLockMemoryPrivilege 5052 ExamShieldSetup.exe Token: SeIncreaseQuotaPrivilege 5052 ExamShieldSetup.exe Token: SeMachineAccountPrivilege 5052 ExamShieldSetup.exe Token: SeTcbPrivilege 5052 ExamShieldSetup.exe Token: SeSecurityPrivilege 5052 ExamShieldSetup.exe Token: SeTakeOwnershipPrivilege 5052 ExamShieldSetup.exe Token: SeLoadDriverPrivilege 5052 ExamShieldSetup.exe Token: SeSystemProfilePrivilege 5052 ExamShieldSetup.exe Token: SeSystemtimePrivilege 5052 ExamShieldSetup.exe Token: SeProfSingleProcessPrivilege 5052 ExamShieldSetup.exe Token: SeIncBasePriorityPrivilege 5052 ExamShieldSetup.exe Token: SeCreatePagefilePrivilege 5052 ExamShieldSetup.exe Token: SeCreatePermanentPrivilege 5052 ExamShieldSetup.exe Token: SeBackupPrivilege 5052 ExamShieldSetup.exe Token: SeRestorePrivilege 5052 ExamShieldSetup.exe Token: SeShutdownPrivilege 5052 ExamShieldSetup.exe Token: SeDebugPrivilege 5052 ExamShieldSetup.exe Token: SeAuditPrivilege 5052 ExamShieldSetup.exe Token: SeSystemEnvironmentPrivilege 5052 ExamShieldSetup.exe Token: SeChangeNotifyPrivilege 5052 ExamShieldSetup.exe Token: SeRemoteShutdownPrivilege 5052 ExamShieldSetup.exe Token: SeUndockPrivilege 5052 ExamShieldSetup.exe Token: SeSyncAgentPrivilege 5052 ExamShieldSetup.exe Token: SeEnableDelegationPrivilege 5052 ExamShieldSetup.exe Token: SeManageVolumePrivilege 5052 ExamShieldSetup.exe Token: SeImpersonatePrivilege 5052 ExamShieldSetup.exe Token: SeCreateGlobalPrivilege 5052 ExamShieldSetup.exe Token: SeCreateTokenPrivilege 5052 ExamShieldSetup.exe Token: SeAssignPrimaryTokenPrivilege 5052 ExamShieldSetup.exe Token: SeLockMemoryPrivilege 5052 ExamShieldSetup.exe Token: SeIncreaseQuotaPrivilege 5052 ExamShieldSetup.exe Token: SeMachineAccountPrivilege 5052 ExamShieldSetup.exe Token: SeTcbPrivilege 5052 ExamShieldSetup.exe Token: SeSecurityPrivilege 5052 ExamShieldSetup.exe Token: SeTakeOwnershipPrivilege 5052 ExamShieldSetup.exe Token: SeLoadDriverPrivilege 5052 ExamShieldSetup.exe Token: SeSystemProfilePrivilege 5052 ExamShieldSetup.exe Token: SeSystemtimePrivilege 5052 ExamShieldSetup.exe Token: SeProfSingleProcessPrivilege 5052 ExamShieldSetup.exe Token: SeIncBasePriorityPrivilege 5052 ExamShieldSetup.exe Token: SeCreatePagefilePrivilege 5052 ExamShieldSetup.exe Token: SeCreatePermanentPrivilege 5052 ExamShieldSetup.exe Token: SeBackupPrivilege 5052 ExamShieldSetup.exe Token: SeRestorePrivilege 5052 ExamShieldSetup.exe Token: SeShutdownPrivilege 5052 ExamShieldSetup.exe Token: SeDebugPrivilege 5052 ExamShieldSetup.exe Token: SeAuditPrivilege 5052 ExamShieldSetup.exe Token: SeSystemEnvironmentPrivilege 5052 ExamShieldSetup.exe Token: SeChangeNotifyPrivilege 5052 ExamShieldSetup.exe Token: SeRemoteShutdownPrivilege 5052 ExamShieldSetup.exe Token: SeUndockPrivilege 5052 ExamShieldSetup.exe Token: SeSyncAgentPrivilege 5052 ExamShieldSetup.exe Token: SeEnableDelegationPrivilege 5052 ExamShieldSetup.exe Token: SeManageVolumePrivilege 5052 ExamShieldSetup.exe Token: SeImpersonatePrivilege 5052 ExamShieldSetup.exe Token: SeCreateGlobalPrivilege 5052 ExamShieldSetup.exe Token: SeCreateTokenPrivilege 5052 ExamShieldSetup.exe Token: SeAssignPrimaryTokenPrivilege 5052 ExamShieldSetup.exe Token: SeLockMemoryPrivilege 5052 ExamShieldSetup.exe Token: SeIncreaseQuotaPrivilege 5052 ExamShieldSetup.exe Token: SeMachineAccountPrivilege 5052 ExamShieldSetup.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2804 msiexec.exe 2804 msiexec.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1504 ExamShieldLauncher.exe 1504 ExamShieldLauncher.exe 1504 ExamShieldLauncher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 4068 2432 msedge.exe 80 PID 2432 wrote to memory of 4068 2432 msedge.exe 80 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 4796 2432 msedge.exe 81 PID 2432 wrote to memory of 1476 2432 msedge.exe 82 PID 2432 wrote to memory of 1476 2432 msedge.exe 82 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 PID 2432 wrote to memory of 3444 2432 msedge.exe 83 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.peoplecert.org/files/ExamShieldLauncher.exe?id=anonymous1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff844dc3cb8,0x7ff844dc3cc8,0x7ff844dc3cd82⤵PID:4068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:1784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5364 /prefetch:82⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:12⤵PID:3468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1376
-
-
C:\Users\Admin\Downloads\ExamShieldLauncher.exe"C:\Users\Admin\Downloads\ExamShieldLauncher.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"3⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\ExamShieldSetup.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}" /z" LAUNCHEXAMSHIELD" /IS_temp4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{083414F6-DDC5-4057-AC58-9A10707A1483}5⤵
- Executes dropped EXE
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4921FF66-6DDF-40DE-9968-3DD4E2F0A22A}5⤵
- Executes dropped EXE
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3158FD31-36CA-4446-91F6-8FEFF6B8D66E}5⤵
- Executes dropped EXE
PID:3612
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51D3E71E-C266-4345-9FCF-AC7F2BEB4125}5⤵
- Executes dropped EXE
PID:332
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A5497EC2-3A20-4786-B6EA-F3832A044128}5⤵
- Executes dropped EXE
PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7CBDC4EA-97A3-48C8-A3D3-D18F0B26291A}5⤵
- Executes dropped EXE
PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{23342C2A-4417-4803-929F-989B2E2A1EF6}5⤵
- Executes dropped EXE
PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C3403E2-AAD4-4DB7-87CB-6FF38CF9650D}5⤵
- Executes dropped EXE
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08BD9F69-452A-4946-BC15-541B73E40069}5⤵
- Executes dropped EXE
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F0E8D198-E7F4-4C20-9FB8-4A4A8395846F}5⤵
- Executes dropped EXE
PID:4568
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-5⤵
- Suspicious use of FindShellTrayWindow
PID:2804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""5⤵PID:4444
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall show rule name="Exam Shield" direction="IN"6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "5⤵PID:2344
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""5⤵PID:2932
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall show rule name="Exam Shield" direction="OUT"6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "5⤵PID:440
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3572
-
-
-
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exeC:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3360 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:3900
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:520
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:3364
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:3620
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:1908
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:4652
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:2492
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:3784
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:5052
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:1908
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:2104
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:3868
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:3808
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:1124
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:4464
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:1520
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:1964
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:3060
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:5028
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:4376
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:4848
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:3508
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:3552
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:4828
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:2312
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:4648
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C netstat -ano6⤵PID:2560
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
PID:1908
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}"5⤵PID:3148
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,2741307021477906239,1021727175259192154,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:4676
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1868
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 73746888ADE1C072B99483538C1BA6C2 C2⤵
- Loads dropped DLL
PID:3120
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A104E6FC0EDCDB72CCE6D31EBDF0B1782⤵
- Loads dropped DLL
PID:4072
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3708
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5fd6317f40acfae7ca2a878dfea34936f
SHA18da8826ac8347eae883dc2d9a6791ec5182bbcb0
SHA2566ecd301641fd4de4610bdcaf81e984cec71f363a889489f53b9b9042b6dc0459
SHA512ecdc7b587cd6311869644da4ca9447259ca268ca96291536e8b4ce7ed162f34b828d1ea1a2ff5effb4848c3e4b44890a6a6747f60952e90714a523408aa35308
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E
Filesize727B
MD56f9bfb5d4a572c225a6f0430c826d4c1
SHA1258c43e4432f9eb27c80eb0c1d64733c7dcfe403
SHA256c1b82b4c1eca07fa25767146e20bb0766d7e9a37001375faaa0bf188df9ceb68
SHA512089c4acbe81f5fe03618b9f24ba6ce89180a38fa4bcd51bdddab17a554a61861bffdc457dfc778abac1d5d36cfd42d643a0aa411156b7c2b2fa732cbeaa57f1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E
Filesize408B
MD5e0ed9524bc12ebc6ea31bdb4b2c06581
SHA1e1687fdfe97a6041df476310215d398feb888eab
SHA2561325343b4cd75e9327b6f2cfcb03718786668628254bd15ad5fc05052d0bcc8b
SHA51207dd661ca6996eca4019c714d9feb98b7dd97d6b59cf1efb2a95f747e6f781516c07b45ca67cfce382d40081d9257c80a84e36368c12ad8bd441c2ba495a5609
-
Filesize
41.8MB
MD5cf885b0cf0bcd2e7ceba26f9091c5f6f
SHA157af3552fb6a4c212f41bb19dc6e9645e72cfc3d
SHA2564e0d4aa9e02d0d32fc5d4644df7d594eea9908606eecdcd093f7275155468cc3
SHA512e8b00ede3e2253db2b708f3d4427705480326619ecea66835c854f3aed38908cb0e5d77d96ce14103d8a6ed8a8f46adc6bcee3613bf340c603e8537a22f98cde
-
Filesize
103B
MD5ca0a346e58cc7f177fe9ab3a7abaff46
SHA10f5ed1b10b848731b7a7e19ac799b46c7eaaec44
SHA256f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011
SHA512858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417
-
Filesize
73B
MD510db042a6c5c43a13106a70f42c9eae0
SHA16351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9
SHA25634b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74
SHA512d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357
-
Filesize
208B
MD5417634108bb920015c2ae792867f3ca6
SHA1738777529d30b923018a5f4101561f1bbedd74b7
SHA2560e698faefaa0de209a076923424b431696857425407cdb65025c1732bc59d091
SHA51212b1d0b4539fa9cbf1c950f30a11859416ad84f7a358fc7cc5eb29a21c3629208b69e9e0a36d1c1398a1387e77ef6f1ed84f4fdb0c04e6668fff664d509adfce
-
Filesize
152B
MD5f1998107017edc46fed4599ad24cfe53
SHA147e92f0646f0de9241c59f88e0c10561a2236b5e
SHA256cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa
SHA512ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816
-
Filesize
152B
MD521cf39beee4d807318a05a10dc3f1bf3
SHA101ef7fc09919eb33292a76934d3f2b5ba248f79c
SHA256b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939
SHA5120baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291
-
Filesize
191B
MD58cb97e507f6211cb4c573183c27f9c57
SHA184f8dfd3b274d53ea693e223d248331526d19a3e
SHA256eb1b7575bc3e4fff262f68e66ee9b58d429f17249d5526516a38839f0def7cf8
SHA5122aa59d9d7bd15d62ec82bcdddcc3346663d42b24f165ead25b1a7b6c5e66277baf3e849b2a5297da227e5a9ccff85706d01cc2d5a8f9acfe0f545a6ccf89094f
-
Filesize
5KB
MD5baf335496c8394967f172e37daa18579
SHA1ab699d6b9b0dbefef40a14c85220d954540f65b5
SHA2563da604116921967153bdd75905858f948b465446f87fec86db16e6806d33c01d
SHA51235999f40f279e7ee6cdfd5c46240c3bf1a1327a0eb2d0c8bb425322ad0a6064f922b3e17f591f882153059be63c861ebf052e97a3e3ed4b9864d4b73c266a6de
-
Filesize
5KB
MD54d5e10496293876adbdffdeadb85f7d4
SHA1f0f452cc09a7593a7f8589d449240e0552af84dd
SHA256952ca669df92c6fc52743c90b07b1e69ed998c3aa964e7a51ec0648120648ec2
SHA512c94718378e055c8860eb7536f8166adc14d0429635577a9704ff2b0f38d36c23d8501a1eee2594314444ea2d6819807a64c85f05cb2e7d15bdfc31b0f5cb983b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD56bef3ab82ae9cfd7b8f247c290685cc9
SHA1ac8753e3324eb6b109c6bbf8795e86c00c62b8f8
SHA25652056a0e98080c56af25a7c6a42fa1d20edc80d262260cb19754fbc0bcf675a7
SHA5122007dda1844103a8286d5510447a45de29e2aee9f8034c15b99bab29528318843367438e1d499bd4e26a30e5d97f0ac97af21a39617ce58671a2b244ff1a9505
-
Filesize
11KB
MD52dfe5184f35a0ecb14d4a9eda90f00cc
SHA13f30dbe7610f055202094825cee672dbaa92f46c
SHA256b09e2221d04b64d3ca190c3a8e9590321f17ce53ba5ce3a622861f32f5971abf
SHA5121bf3b285a21a4505a1644b524fccc68abfadccf621baeec54a9530ac9b68eb90706e1319a89f8234e8a76a45cc709076eeb9d30189e3fee6d7f561ebd6d3eeb3
-
Filesize
44B
MD5656d246c6ce9a47f07ec793b6bb27f07
SHA10c098838274f64dbb02500a68b855e6703dddaf1
SHA25677429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4
SHA5129e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476
-
Filesize
832KB
MD5913b6675436bf50376f6a56a396e18d2
SHA1d3298e7c8165bdb6e175031e028f5a146bda7806
SHA25674248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7
SHA512281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166
-
Filesize
2.7MB
MD5204430c922db9a71b05c6ecc5a75a0c8
SHA12df84dfa1ea76717281f9ef2a04f0430ba9e92fe
SHA256c842b222ff253e85483b6247c7a16beade1d999d134ceffc42b0c26b9c934b94
SHA512b1748a9efa21894a1cbd0bd40394384d5e80458385b82a3d819669a3171275b6f2c0e6dfc56101b15df8553e63a22fb4130ab4de882bc23cb564341c2c123d6b
-
Filesize
3.6MB
MD5eea876cf48e4eddc5907867bce679bbe
SHA17381ad4fe632df9865d1e4dac2eee83d8b2ce294
SHA2566a31175cb45f6c0adbaed3e126c580bbff491a302b3840250c3bb883a713fe2f
SHA512f9eb2b256f2771fd9d9302883359ba9173d3bc59d6ee19a831fbfc3269fa1bd39ad5fff480e3669fe8aca4a477da85d8ffe25e39f01473babd5eec9077c33e16
-
Filesize
22KB
MD51196f20ca8bcaa637625e6a061d74c9e
SHA1d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA51275e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3
-
Filesize
28.6MB
MD5189937fa174292d114c512003653b1f0
SHA13ba0887fbdc60c429f5f164366dfe1a20cf75420
SHA25612400e1144a459b122e5559f76b46be1caf89b2e0dd72ac0f12887d52489c171
SHA512a088ce606865b6bc71c4d5403cb905b9be634fee722da1ea37f877191acfabe501a4eff6e6fbb52526b4300354da6d90743ab327ed527489ea4b51fd0aa4bc36
-
Filesize
167B
MD576160c408a8fb519732e1c8b0b003e98
SHA1b4eb261da32df4de3d393a9ccb44015907ae8aa6
SHA256ae4b56d4ec1a107c6322841460f77ee0888c0d6aa412b9ba008db2ef419cee5e
SHA5122c9835e2f4132d6f3ebbe67587673f93ab1be4e3e027f748527bed942a17b4f87f1efd9bc5f0219ab41311cfab29f341a0b9bedead264286e2649640553f315e
-
Filesize
632B
MD520b1a55469e7fdb49248b7beecf0f1d2
SHA1ff0f3334841874a275ae200174465309f8afa7be
SHA2567461fcd1a07708e1478fc9811b5a597dc86c63bfb8dbc8cabd7b930e8b717c38
SHA5125546ee937e5d32f88bd1709313ee5d5aca16437f8d0509e17dc4b24432a3240c2d09b7b47f6c3c4a6ba09249db5c9b6b5dc9b3cc23d6115b26cfaec7d661a590
-
Filesize
5KB
MD5f06a1f36f9a0c6b462ac03e221a80128
SHA1b0841d43aecc9682fb5e6026c8c87862e95f1de1
SHA256fc68ada6f2e177c6e63990db4ebb9c78a1a78f7639a8c9154354fee1b1b07af8
SHA512226a62d7dc41cb591d74592f9e6e830faf0024cb8978e82b27a72cbf543385cea863e1d8f7d8e22311fdcc8064766f272fdcbdbdd08698a9d7e7b65a19b04be8
-
Filesize
272B
MD594d9940c66438fbe2c24274d0862ea09
SHA1c989bd40c5483db858e7d5f87d03257b0d53d365
SHA256cd0177ea7f3bc1fe3379044ef4a3ac7fc2b4e19adee572541aac047a19f1ca6a
SHA51208218df9876f39f1ef75ca0785cc64d1317bdcd5bc0a199cb1774285c96bd6c191c0fd1a3a95bd829ae9fa8f8bc40127f054dcd9231c3ed98fa18e90dbd9dea5
-
Filesize
198KB
MD528857f9a5dc8af367e533076267f5b4d
SHA1ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa
SHA2569523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee
SHA5128989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a
-
Filesize
1.1MB
MD5ff43031211486580947f25f293b8125b
SHA131030ea85fce86a7679f80771838d58df631c28c
SHA256423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0
SHA51242196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\_isres_0x0409.dll
Filesize1.8MB
MD58afdae8fe83d1a813b54e48230aed2db
SHA1ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c
SHA256d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6
SHA512fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4
-
C:\Users\Admin\AppData\Local\Temp\{B4FD3CE3-21AA-4EE4-9CBE-5CE4D0D2751C}\{8D647BE1}\_isuser_0x0409.dll
Filesize597KB
MD51fc83481da22b0fadd026b0f4ce069d2
SHA160070a10654f5f295652ae7ef1f57a1d9f545548
SHA2560f92b9a5104988cc971d709ee8eac0e64d80d12a6736438dc8036619b5599f99
SHA512ee65a78479957356aca7d5b4fcb419062595f4691a2aba97daf0249f208c02a6c6e6f8856b8c2932fccb933ee987e5b63a20e10cc7143015cda12b722ce0c4cb
-
Filesize
6KB
MD5ee1b87207cf78395e6541d14407fed5d
SHA1491986421eb41eb48c02235b81faecee0ffc01ef
SHA256161c415e795723cc7c62e04be418240ccda56f7f3f144c974e97830360c0cf30
SHA512c4353bff531fcac47a52450f0c00899d94baf6a60a7e2fd1d18bfcf105e1772b58dcf6a5cb6ad01de738fde5612f3803fba4ed4ef43bf3efcb058ca4a1c38776
-
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.exe
Filesize1.3MB
MD5e9139c4ac957bb0b4ff13172d96ae664
SHA1ef20e921bf6f3c0423db373accb57011537b55bc
SHA2563201afbb20c3855e311d003d69afbeaed492cb5bc549a1c759703cd7560d0300
SHA5128c0a5e7ca088f323a673604d311c341fab085a3f889d1c7f4bc72c260953732b7a530ec9536a18b7889e6f7a9b9640ecc5353aa04d92e26002fc8f7017f43e92
-
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.ini
Filesize5KB
MD5e737da741ac99cda6a1bf7f2857c9432
SHA1a87f19808d410b9d5f824b798d4b2c51f66d31f2
SHA2560fbf14482a7598a10acb65219949f2c6f9b692af9fd14760ba1c8f71b20564bc
SHA512187c33961c7ff4d189d8de490dfb3e41429210145a22bcf0ac733c33e49af766a9661aadc64f5c0a7006de1653e525f15f80171a25e93c2967630880d6d86538
-
Filesize
17KB
MD5cbf3371bf4b1543c8beaf215bb674c14
SHA1601eb169552f053d35730840ab5ab0042c3e4631
SHA256012ea7bf952759f4bd52cc59f34b686949e10cb07eb293863649acbc275ed1fa
SHA512446803c28352ad7ec53b59732485dbf781615a716bbdfac94e722e4afcb9bdd905d34b51b3e9bf98c26834599f9d0d5de3184607f66146d53cde40a6be36c5a2
-
Filesize
19.5MB
MD5e05259256d03f5211455de7d65d2a0e8
SHA1edc53bb2dfddbfdfdebf728c823d622554843ded
SHA256547371c9b9bb73581773d2d5cb69f483311f256062a5d9ae37f5bb3389dc14d1
SHA512252be33a4fd9ffba35aa3305bd77035556608e1ff9365ad9466aabcf8f6efb394bbac52e8a06680f3f9d8bfaee45345cc37f8f85b69c0ba24daea913791fb0d9
-
Filesize
447KB
MD52319331fd9f77352804c3faf6cd3ebae
SHA135757a3ac4c6af5e81357f18f04f9f01614a7dfe
SHA256f20ae03124000f8f1c12dc94a90239c684d78c682245362a0f6db26acd3250fa
SHA51275124f0bc0bc95b03d569a2832a5772df008f7872744c77e6b95a766d9dfa438f5d2f665cd052c797df03e521e820f16e19bfbf829b6d32d258acb139da18fdf
-
Filesize
361KB
MD5cd1a3dac0e30d4d149a24c7757fd2c64
SHA15c54a6d4ce7feef79d708e4970f1f426ca71d546
SHA256d74b6cac599489be70ecc11dc4cf60b09dc5455537799d7dcb29aab5ae3f5d48
SHA51231d6bbfb1509cd90521b97066a6e3bd4223d5ed6f946b9c90f1c4cc75fac1077060442dee2162bd9a805abb83c26e4f2b722c44e81c6a4aa46e34b736f9129a5
-
Filesize
24KB
MD5279e6e80c39add675219c447f9c1f381
SHA18287588124e8f8a6c94435e44344e3ee7062c4be
SHA25622af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527
SHA512477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce
-
Filesize
3.5MB
MD53d65c83ef6cd531b1cea119ebaed6d4e
SHA1dd34510ec94ccca3aad65d9956e62d99e214e9f8
SHA25613af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0
SHA512a49634306f748433821dc246fe4624cb8f9ed1ba721ecb14ebddac9b13403d33cf58136bd2076d43abd40240166e96f91a14092b89fb962ab67fb69dd5711271
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
626KB
MD595bf357fe831c0a89c6a3e3044660e94
SHA1fa10a0dc55062b5a102eed06344491dc4adbff61
SHA2562d6216e7a67b854e2048d10d3bc49dca7bd9fe814516cf25ea4800fb3ddea483
SHA512191cc3661bb9c8012f35e71211c84d3c81968154fff140b965e164549d15d2ba42a4f55f33feae32cc547df4e02c1e9d905552ace929739c0fea1d2a5d3aadcf