asyncrat | 13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe
Size

3.5MB
MD5

3d65c83ef6cd531b1cea119ebaed6d4e
SHA1

dd34510ec94ccca3aad65d9956e62d99e214e9f8
SHA256

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0
SHA512

a49634306f748433821dc246fe4624cb8f9ed1ba721ecb14ebddac9b13403d33cf58136bd2076d43abd40240166e96f91a14092b89fb962ab67fb69dd5711271
SSDEEP

98304:LVU8oNJUmv0ydoQK9q4YwjU4fyp/9EcdY11yyevzeXV:LVaOmiWV+11yyev

Score

10^/10

asyncrat defense_evasion discovery evasion persistence privilege_escalation rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2096	netsh.exe
3988	netsh.exe
3696	netsh.exe
2940	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ExamShieldSetup.exe

Executes dropped EXE 13 IoCs

pid	Process
4696	ExamShieldSetup.exe
536	ExamShieldSetup.exe
1836	ISBEW64.exe
3816	ISBEW64.exe
3676	ISBEW64.exe
2988	ISBEW64.exe
64	ISBEW64.exe
628	ISBEW64.exe
4976	ISBEW64.exe
3140	ISBEW64.exe
3176	ISBEW64.exe
4296	ISBEW64.exe
1912	ExamShield.exe

Loads dropped DLL 13 IoCs

pid	Process
536	ExamShieldSetup.exe
4600	MsiExec.exe
4600	MsiExec.exe
536	ExamShieldSetup.exe
536	ExamShieldSetup.exe
536	ExamShieldSetup.exe
536	ExamShieldSetup.exe
536	ExamShieldSetup.exe
2988	MsiExec.exe
2988	MsiExec.exe
2988	MsiExec.exe
2988	MsiExec.exe
1912	ExamShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	ExamShieldSetup.exe
File opened (read-only)	\??\X:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	ExamShieldSetup.exe
File opened (read-only)	\??\V:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	ExamShieldSetup.exe
File opened (read-only)	\??\U:	ExamShieldSetup.exe
File opened (read-only)	\??\Z:	ExamShieldSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	ExamShieldSetup.exe
File opened (read-only)	\??\J:	ExamShieldSetup.exe
File opened (read-only)	\??\R:	ExamShieldSetup.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	ExamShieldSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	ExamShieldSetup.exe
File opened (read-only)	\??\M:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1912	ExamShield.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI46E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E5D.tmp	msiexec.exe
File created	C:\Windows\Installer\e584478.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e584476.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A44.tmp	msiexec.exe
File created	C:\Windows\Installer\e584476.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Connections Discovery 1 TTPs 36 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
396	cmd.exe
2436	cmd.exe
5016	NETSTAT.EXE
3928	cmd.exe
3988	NETSTAT.EXE
1952	cmd.exe
4480	cmd.exe
1844	NETSTAT.EXE
3888	cmd.exe
4892	NETSTAT.EXE
116	cmd.exe
2188	cmd.exe
2132	cmd.exe
2496	cmd.exe
1564	cmd.exe
2060	NETSTAT.EXE
412	NETSTAT.EXE
384	NETSTAT.EXE
3792	NETSTAT.EXE
4020	NETSTAT.EXE
3000	NETSTAT.EXE
3716	NETSTAT.EXE
1576	NETSTAT.EXE
2368	cmd.exe
1404	cmd.exe
2260	NETSTAT.EXE
2296	cmd.exe
3184	NETSTAT.EXE
908	cmd.exe
4928	NETSTAT.EXE
4744	cmd.exe
4484	cmd.exe
3680	NETSTAT.EXE
4744	NETSTAT.EXE
3456	NETSTAT.EXE
628	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004640681c343585510000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004640681c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004640681c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4640681c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004640681c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Gathers network information 2 TTPs 18 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4928	NETSTAT.EXE
3184	NETSTAT.EXE
3000	NETSTAT.EXE
4744	NETSTAT.EXE
3716	NETSTAT.EXE
1576	NETSTAT.EXE
4892	NETSTAT.EXE
412	NETSTAT.EXE
3988	NETSTAT.EXE
2060	NETSTAT.EXE
1844	NETSTAT.EXE
5016	NETSTAT.EXE
3680	NETSTAT.EXE
384	NETSTAT.EXE
3792	NETSTAT.EXE
4020	NETSTAT.EXE
3456	NETSTAT.EXE
2260	NETSTAT.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\ = "URL:examshield"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell\open	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell\open\command\	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell\open\command	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1"	ExamShieldSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ExamShieldSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	ExamShieldSetup.exe
536	ExamShieldSetup.exe
3944	msiexec.exe
3944	msiexec.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe
1912	ExamShield.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3944	msiexec.exe
Token: SeCreateTokenPrivilege	536	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	536	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	536	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	536	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	536	ExamShieldSetup.exe
Token: SeTcbPrivilege	536	ExamShieldSetup.exe
Token: SeSecurityPrivilege	536	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	536	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	536	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	536	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	536	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	536	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	536	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	536	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	536	ExamShieldSetup.exe
Token: SeBackupPrivilege	536	ExamShieldSetup.exe
Token: SeRestorePrivilege	536	ExamShieldSetup.exe
Token: SeShutdownPrivilege	536	ExamShieldSetup.exe
Token: SeDebugPrivilege	536	ExamShieldSetup.exe
Token: SeAuditPrivilege	536	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	536	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	536	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	536	ExamShieldSetup.exe
Token: SeUndockPrivilege	536	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	536	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	536	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	536	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	536	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	536	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	536	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	536	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	536	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	536	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	536	ExamShieldSetup.exe
Token: SeTcbPrivilege	536	ExamShieldSetup.exe
Token: SeSecurityPrivilege	536	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	536	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	536	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	536	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	536	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	536	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	536	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	536	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	536	ExamShieldSetup.exe
Token: SeBackupPrivilege	536	ExamShieldSetup.exe
Token: SeRestorePrivilege	536	ExamShieldSetup.exe
Token: SeShutdownPrivilege	536	ExamShieldSetup.exe
Token: SeDebugPrivilege	536	ExamShieldSetup.exe
Token: SeAuditPrivilege	536	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	536	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	536	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	536	ExamShieldSetup.exe
Token: SeUndockPrivilege	536	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	536	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	536	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	536	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	536	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	536	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	536	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	536	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	536	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	536	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	536	ExamShieldSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2976	msiexec.exe
2976	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4184	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe
4184	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe
4184	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4696	4184	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe	95
PID 4184 wrote to memory of 4696	4184	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe	95
PID 4184 wrote to memory of 4696	4184	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe	95
PID 4696 wrote to memory of 536	4696	ExamShieldSetup.exe	96
PID 4696 wrote to memory of 536	4696	ExamShieldSetup.exe	96
PID 4696 wrote to memory of 536	4696	ExamShieldSetup.exe	96
PID 3944 wrote to memory of 4600	3944	msiexec.exe	100
PID 3944 wrote to memory of 4600	3944	msiexec.exe	100
PID 3944 wrote to memory of 4600	3944	msiexec.exe	100
PID 536 wrote to memory of 1836	536	ExamShieldSetup.exe	101
PID 536 wrote to memory of 1836	536	ExamShieldSetup.exe	101
PID 536 wrote to memory of 3816	536	ExamShieldSetup.exe	103
PID 536 wrote to memory of 3816	536	ExamShieldSetup.exe	103
PID 536 wrote to memory of 3676	536	ExamShieldSetup.exe	104
PID 536 wrote to memory of 3676	536	ExamShieldSetup.exe	104
PID 536 wrote to memory of 2988	536	ExamShieldSetup.exe	105
PID 536 wrote to memory of 2988	536	ExamShieldSetup.exe	105
PID 536 wrote to memory of 64	536	ExamShieldSetup.exe	106
PID 536 wrote to memory of 64	536	ExamShieldSetup.exe	106
PID 536 wrote to memory of 628	536	ExamShieldSetup.exe	107
PID 536 wrote to memory of 628	536	ExamShieldSetup.exe	107
PID 536 wrote to memory of 4976	536	ExamShieldSetup.exe	108
PID 536 wrote to memory of 4976	536	ExamShieldSetup.exe	108
PID 536 wrote to memory of 3140	536	ExamShieldSetup.exe	109
PID 536 wrote to memory of 3140	536	ExamShieldSetup.exe	109
PID 536 wrote to memory of 3176	536	ExamShieldSetup.exe	110
PID 536 wrote to memory of 3176	536	ExamShieldSetup.exe	110
PID 536 wrote to memory of 4296	536	ExamShieldSetup.exe	111
PID 536 wrote to memory of 4296	536	ExamShieldSetup.exe	111
PID 536 wrote to memory of 2976	536	ExamShieldSetup.exe	112
PID 536 wrote to memory of 2976	536	ExamShieldSetup.exe	112
PID 536 wrote to memory of 2976	536	ExamShieldSetup.exe	112
PID 3944 wrote to memory of 2988	3944	msiexec.exe	120
PID 3944 wrote to memory of 2988	3944	msiexec.exe	120
PID 3944 wrote to memory of 2988	3944	msiexec.exe	120
PID 536 wrote to memory of 4748	536	ExamShieldSetup.exe	122
PID 536 wrote to memory of 4748	536	ExamShieldSetup.exe	122
PID 536 wrote to memory of 4748	536	ExamShieldSetup.exe	122
PID 4748 wrote to memory of 2096	4748	cmd.exe	124
PID 4748 wrote to memory of 2096	4748	cmd.exe	124
PID 4748 wrote to memory of 2096	4748	cmd.exe	124
PID 536 wrote to memory of 8	536	ExamShieldSetup.exe	125
PID 536 wrote to memory of 8	536	ExamShieldSetup.exe	125
PID 536 wrote to memory of 8	536	ExamShieldSetup.exe	125
PID 8 wrote to memory of 3988	8	cmd.exe	127
PID 8 wrote to memory of 3988	8	cmd.exe	127
PID 8 wrote to memory of 3988	8	cmd.exe	127
PID 536 wrote to memory of 3416	536	ExamShieldSetup.exe	128
PID 536 wrote to memory of 3416	536	ExamShieldSetup.exe	128
PID 536 wrote to memory of 3416	536	ExamShieldSetup.exe	128
PID 3416 wrote to memory of 3696	3416	cmd.exe	130
PID 3416 wrote to memory of 3696	3416	cmd.exe	130
PID 3416 wrote to memory of 3696	3416	cmd.exe	130
PID 536 wrote to memory of 3176	536	ExamShieldSetup.exe	131
PID 536 wrote to memory of 3176	536	ExamShieldSetup.exe	131
PID 536 wrote to memory of 3176	536	ExamShieldSetup.exe	131
PID 3176 wrote to memory of 2940	3176	cmd.exe	133
PID 3176 wrote to memory of 2940	3176	cmd.exe	133
PID 3176 wrote to memory of 2940	3176	cmd.exe	133
PID 536 wrote to memory of 1912	536	ExamShieldSetup.exe	134
PID 536 wrote to memory of 1912	536	ExamShieldSetup.exe	134
PID 536 wrote to memory of 1912	536	ExamShieldSetup.exe	134
PID 536 wrote to memory of 368	536	ExamShieldSetup.exe	136
PID 536 wrote to memory of 368	536	ExamShieldSetup.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.WCT23T.27470.26894.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
  "C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\ExamShieldSetup.exe
    C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}" /z" LAUNCHEXAMSHIELD" /IS_temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50595E71-5E93-40DC-9F13-45688B905F2D}
      4⤵
      Executes dropped EXE
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8D243057-8678-47E5-809C-45B85CE24497}
      4⤵
      Executes dropped EXE
      PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C5A3184-88BB-4F8D-AAAD-886C2EBAFB95}
      4⤵
      Executes dropped EXE
      PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB9290B4-05AA-4A34-93EE-A50D4C152F6A}
      4⤵
      Executes dropped EXE
      PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8D0FE7DD-9DE1-42A9-A724-14BAB330FB6E}
      4⤵
      Executes dropped EXE
      PID:64
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F9E62F4-8506-4D01-AFD1-84E67451B9C8}
      4⤵
      Executes dropped EXE
      PID:628
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D936224-8487-4382-AFE0-F8E89C2273A6}
      4⤵
      Executes dropped EXE
      PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8673CD41-F665-49D4-9912-7385DB5CBD82}
      4⤵
      Executes dropped EXE
      PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{89C9ECEA-3435-47FC-A87F-37EB516676D2}
      4⤵
      Executes dropped EXE
      PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0CDF6BCA-F8F4-4505-BD8A-E52484971DEB}
      4⤵
      Executes dropped EXE
      PID:4296
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="IN"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="OUT"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
  - - C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1912
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3888
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4892
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4744
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:412
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2368
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:116
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3792
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2188
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4020
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4484
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3184
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2132
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3000
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2496
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4744
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3928
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3716
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1404
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3456
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:396
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2260
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2436
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1576
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2296
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3988
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1564
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1844
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:908
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4928
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:628
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5016
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1952
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3680
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4480
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9A6759925ED7C2E5F1CD2D94252FE5DD C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C665AEADE33DF818FC19130F3D017F6C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1060

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584477.rbs

Filesize
13KB

MD5
790799fb068bec25283d91b153dd48cb

SHA1
299fb1662c91da8f733323e37f493e61ccb3fb22

SHA256
64e50e97d44223c7dc520dde25735e9b8f49d79ec48418624b89b2ab67b2e47c

SHA512
94d2763dbb6eaa39a15997a4023a9afd3a12cbfbeaad0646787fceabe051d5ad189532d30f54642276766681157b0a80cf76a4bde201734ba32d6df37f744740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
ce9a6874a76da10d24ad8bc4e20e3cf5

SHA1
3b27eb50a204d1e15d35342a9e9f8d9bc9fe69a2

SHA256
5ef7af52925ad2cfa6954bc78f37c121940dcb88884c12dc5ef330e0fa539929

SHA512
c3bfe608fef57bed48b8e52e18f028d925eef7d4afbdeb617ab1e9e7c5f97eb58290dc7edbb33b0907cd0150ae70ca4532aefc1ea22eac7dd5dae0c6c7e1e0ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
727B

MD5
a630301aed08e3a3923da80ec6877c6e

SHA1
262673b9194713a8c2493d0472d60bbd23c8ac2e

SHA256
cf75f499a3261ebd324d6fd2032d0a10929e8bf807edd899b2016f467d9d67cd

SHA512
f90cdbe880cd520d1f88281e3f9ae5fcadf5a72116df6cd9306b7114a9a4c7784375b53d5bab0b3ec5021a88ea95f7a68f0a4821f0226ec3f6f345e5f3b145f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
e6642a6fcf8fd3fbcd2d621728c4f1c5

SHA1
11d8ca735053cc90ce5aa1572a3b4780faedb464

SHA256
8ed8d126dbbc21d28a82318acb7d6df069357bfbe2ca5a2f2b3d155fcff958cf

SHA512
94576b8ea7940542e9c6fafbabdb308f0031c217c66d4444670e66809a84daa301ec56b8181e2becbc6855810cc35c6ee0115fb00fd4ed92bdd79df6bc6b4932

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
b0c30b61991f4ed053be21f76604859e

SHA1
d43841dedbb2b5f53af8a64ac59a99663ab949df

SHA256
0fdd7f212ac82c01fbc6b4958dfddc1b1599fb33f27bfd59171465d6525a1e23

SHA512
9c3568e0d4d30c1f770fb780e8d2d2de47cc4e0ea8e97c8e5eaed0b00056669917b03a8ef72f055d282013ae1097919bd670a136c93899b79c7ac1f44fbfa5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
408B

MD5
c59b3f5d3086e6b02fd11b864af1cd9f

SHA1
a719312f3fb1b0ac6eae1df087c4a8613808ea42

SHA256
01bad843616bcde482e0c81e2bd313b773a20a11279a9e9ead2a8045c5de503d

SHA512
8e48bcf82d6eecb053dafa592c3046c9d13554b61523a5b16c71d64edf4f27e3a072353fba490c0d6a220ad532d1db421457a4a7829ab9724c805a76b6f3b149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
edf4d766233a0ee35fb0eb87e95a3b1f

SHA1
69b3748668f452ec8be6d2e39611c0b80d4b5e0e

SHA256
e03f19f40867c4a6de6096a0ceefe8179195491761da18fb493476650df0c374

SHA512
f60d7eac7226d16de78d6d4ee6dd6dad15e451ac05adf97ce01ea06ef4af742b70c06afecaeb60856c437421c752e4af9e41a5b3de6dc306c8eb01c012820701

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldParams.dat

Filesize
9B

MD5
9bab2b4c50d8359fc53c582d09ca21df

SHA1
9b2473d04fc51348aa20d1fedf5e629c43a0ada9

SHA256
9dbf8057012e99a692df37f984b92232c1aeee59ba9576be9f440d2ae0bef774

SHA512
c989409cb5c9fd74b66ec0a6c2d2a0f1166c2f7e379794bc7511119c53388baf60e37ef0b0f8f3b854283f832fc91147b63da46eb3cef22bc394946e34943a12

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe

Filesize
41.8MB

MD5
95846ce7c1cb570ef1ba75cfe7e4ed90

SHA1
f8488ddd1fc199cd2182e64b1e7c828c85c39426

SHA256
448cd7978f7b8bcc3ffd6049a9861f70f9167b4ec710d0722eb4910bcc043f9c

SHA512
82130cd5e395dfe50406c8f377b3d59e6937e185c19ddc0aa2fa1f30b65f9982f4545263b8e14afc36bc1fef76af0b3d48830ee79c8476c23179cb61c17ad81f

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat

Filesize
103B

MD5
ca0a346e58cc7f177fe9ab3a7abaff46

SHA1
0f5ed1b10b848731b7a7e19ac799b46c7eaaec44

SHA256
f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011

SHA512
858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat

Filesize
73B

MD5
10db042a6c5c43a13106a70f42c9eae0

SHA1
6351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9

SHA256
34b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74

SHA512
d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll

Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt

Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1774.tmp

Filesize
832KB

MD5
913b6675436bf50376f6a56a396e18d2

SHA1
d3298e7c8165bdb6e175031e028f5a146bda7806

SHA256
74248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7

SHA512
281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is81C..dll

Filesize
2.5MB

MD5
776275f6e820cef1544c4b4d108a2fd2

SHA1
df9772159cc04e842636628c0a8e1029ce771cc8

SHA256
580467f266bd2e7c69a6ee288bcad2a1c843b4a0571a0df68ad2c15a4cfed691

SHA512
869d2caa001f965cf399ad9a2bdf4b9103fd6d9a697bec263efd2f02a78dcb9a328a4e295f025c549c72bbc258e790f7c139eeb49f0d6911ea25d31601b42f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss1030.tmp

Filesize
3.6MB

MD5
19470ab0e93ab0d702a8a6f7dec58aa7

SHA1
f1a85c2a7c8d49e14462bb8018ed6c664a3c515b

SHA256
5d55eabb4dc87f64861d6d226decb113bdd3c2af7ff8a11b81ab111191ea65a6

SHA512
4fdad6c9082a8bf1eacc5b2a68423d502212067bef094862c08f130b296f7f7155607cf21286dd9f8d5da544c69dcf842f7eb1ed65f3b9ffbf608e68581d52aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\ExamShield.msi

Filesize
28.6MB

MD5
56cdf21489801ecbffa8b284ad92b7a2

SHA1
ac521d25bb5b088f9e954fa82e07469b0c43aa2c

SHA256
0977c27bc8646cb53e199654f651a40ce4a5d973a3cf102f7abe68950765b0d0

SHA512
d7e24711b4cc2f99c5f7dc7e1a5a18e5caee0d390e5a1675d9f87b2666cc27007bd1a764c67b8c162611d1e57b5f5c8a70ba8be4e40e70e209f09c1c519f3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\IsConfig.ini

Filesize
167B

MD5
72c6f8ded560067c8619f17230a315b0

SHA1
7b188cb28c0e395f50c69a2d25305dfc20e3521d

SHA256
1c86f6e8b453b278e6fbfb35449baae81e38e0bee1bf9e2fa11ea8227cb90148

SHA512
9656dc4a72eeae47b6bb40aef2d194bc831d49fa2bc23e06e0e2332a12664a76c9817013550d4cfec99ca22e58ebefe4809026db3ff552b753fae62a6c0e3a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\_ISMSIDEL.INI

Filesize
4KB

MD5
3896b18a42f3872c2e42a132bb80a4f4

SHA1
3e03f9763e78de9ddaedd0eacd177fddf0a8c12a

SHA256
914b1e71e843ac239494fc73ade001597c21b4b727c50777b0617d1f57368638

SHA512
57e37360e9506f08dc115966f45998ea4bfd1f230604d033fa80dbce841e56a84071b56c82376f6195099f4f1e749ac86ce68eb8746b3cce2abe3ef5c8aede27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\_ISMSIDEL.INI

Filesize
632B

MD5
01ea3a5164e953e3f0d6ce9b43db7a37

SHA1
a9444618fdb1753db952d493c102e5f82b8204d5

SHA256
bd6c744a1a1a91335f1be28554be494f29b222c524313feebf196e5afd211fed

SHA512
feb53428ab634872fe2b4b695810f35da2fc4101867a48fd13a7fa73d37fe44d89b1e580dfc51ac8c0a116e018f5524d675ea6b04612ded6dbbdcdff2f1fbe03

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\_ISMSIDEL.INI

Filesize
272B

MD5
e65973ac0850eb88869f0a6fe08c35dc

SHA1
fa1f9ba917240193f93521fb4ce00197e7fc71e0

SHA256
259873de5f84fe8cb35892f34fc1c790bb6a8e40f15e8e05c1341fb0fdd59101

SHA512
38a6a58ee14eafbf5e5f170fb5216ab27ff2f9505745a613de00572a55e65b0cfb5f83d6a4c5c9c4026566cc6c9fda6851a41297393296032a328e2f43922ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISBEW64.exe

Filesize
198KB

MD5
28857f9a5dc8af367e533076267f5b4d

SHA1
ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa

SHA256
9523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee

SHA512
8989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\ISRT.dll

Filesize
1.1MB

MD5
ff43031211486580947f25f293b8125b

SHA1
31030ea85fce86a7679f80771838d58df631c28c

SHA256
423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0

SHA512
42196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\Software License Agreement_EN.rtf

Filesize
7KB

MD5
2d4eaea4d9b564964e5e4aea88d48555

SHA1
2cad664a938cdc69e0c6d741575e5819733fc374

SHA256
93494ec77002f73f074bceeb91be9c4f805c1c07852db14d37729d81e0deefd0

SHA512
4ef21301822b3146984f975943e39a7875281d14b5f14f10fb4051be818115a0d54d02876658d279b820e72720d48983214b37abf1d888ac254be7be5b98cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\_isres_0x0409.dll

Filesize
1.8MB

MD5
8afdae8fe83d1a813b54e48230aed2db

SHA1
ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c

SHA256
d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6

SHA512
fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8B159D61-5896-40FD-AEFD-B08F34DF320F}\{E91F30AE}\_isuser_0x0409.dll

Filesize
597KB

MD5
fbd1e1fa1b151fed2dd2cc9de143463c

SHA1
8d82009784d7f10384e3af5b5708d3a530f4f5d9

SHA256
98a1e05526d9688c1e3fc8beb1bcff3bf7c2072f48b0c6386f2454bc18f81330

SHA512
d98acc69f8b575018bfb15d1bde42a8ae3e1b6316371e1f34b00d66bd314d07350b2c9b1e9b7c21a406a89de09ac08098129aeae1453e5307b03d0d338f57357

Download Submit
C:\Users\Admin\AppData\Local\Temp\~F9D3.tmp

Filesize
6KB

MD5
d35bbcf352d975a778552c833d98939b

SHA1
d42f160a63deae6add1b0b55d687ddf25012ec72

SHA256
9f2d22e5387d4b0d45bff77c55a0e71a0ca82c5c1ed613489df143f09b7f54cc

SHA512
dac680936fac3f899bdb7f8676af8f9d708a4017c13f885ca9128e3a5b15e028f58421c147377fc132af1ac7fa84322597e1374f4ea538dd3a9fe350bc245b93

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.exe

Filesize
1.3MB

MD5
81bfed45ec6eb44dca9797e7b42fc449

SHA1
07d0f587f4c8cb8a8aa81fffc7cb44314514abc1

SHA256
5cbaabb43220546b55946f9cfca80016b58b780fa7f0eff7e7b0c69d7ae1c8fb

SHA512
c5ca735543cc2a4709398e0c955b32f9d88d73d29577817f7d9556f008a6f5b5bb4d99c2f698e6fd342453d741514eace38993258dfcc5c5b15d59d8a6d7050a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.ini

Filesize
5KB

MD5
a17b1c29e72519c7385a622578565e8f

SHA1
d7458fae32fa23ea7c278b9d80cab69aa5b352d5

SHA256
7bf944db58861318d198a6b6ebf1110c00ab93dcb52a7ec922ba393d7b0a6ca6

SHA512
4446371fe00f192aed8fb9f3de6618e6cee05e742be28e5ebf28226b1c0a92158bc07a55ff71620597607fb29e074e90874ee8c2d62b4b8092601400f965d6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll

Filesize
21KB

MD5
121dbf33b0d3bb167e3f8a9773633a3d

SHA1
b9fc193731c7d23ec400e4436525d9222a755c27

SHA256
4a45fa78482d181bf761a852de9b6386841b33cf5c9489c8e4796da4e06b8abf

SHA512
c17bdefe3b8f6922d20edfa4c61b16dbb472d15bc27c7edc3a68e4b5ddc1d4978badf9a7b88500b3ec359421a46a92d85b26c9eb0175a969f69c5048a7a01458

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe

Filesize
19.6MB

MD5
652f27cf21266d7786a8e1ccbe7299b2

SHA1
d8d1c2f147c1c1c6958b876570a5b94370c1edc1

SHA256
1e38d80c1aa39c72170562b76320d24dc194a940d5d7c7f0cc2f218b34a15f71

SHA512
c0ba371d230b217661afe4485750155218e053995ff6e1e09ab777c7121f0cd7307868caa988ac95e4a2e6d33afa52b82364732f25220cea8e0f2fbba2f07cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\VP8.dll

Filesize
447KB

MD5
2319331fd9f77352804c3faf6cd3ebae

SHA1
35757a3ac4c6af5e81357f18f04f9f01614a7dfe

SHA256
f20ae03124000f8f1c12dc94a90239c684d78c682245362a0f6db26acd3250fa

SHA512
75124f0bc0bc95b03d569a2832a5772df008f7872744c77e6b95a766d9dfa438f5d2f665cd052c797df03e521e820f16e19bfbf829b6d32d258acb139da18fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\opusGeneric.dll

Filesize
365KB

MD5
24fcbc8ad136be0c41d577b7e04f0c32

SHA1
7e8313c7f94f2814eae99afd2e538950771ba578

SHA256
2c40aa70e5db750a7da2dc22c4dc5d57f60be1df019268c5de2434909cce9820

SHA512
c5cbd352b524eb6b2ec6f032edc9ca0bd99a22902ea6e829b5cf6f20f1071886e750085142d94389b6cde09c3b429299d2aab81375278b6c24b4b59d3a6446a9

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\uninstall.ico

Filesize
24KB

MD5
279e6e80c39add675219c447f9c1f381

SHA1
8287588124e8f8a6c94435e44344e3ee7062c4be

SHA256
22af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527

SHA512
477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce

Download Submit
C:\Windows\Installer\MSI4A44.tmp

Filesize
626KB

MD5
95bf357fe831c0a89c6a3e3044660e94

SHA1
fa10a0dc55062b5a102eed06344491dc4adbff61

SHA256
2d6216e7a67b854e2048d10d3bc49dca7bd9fe814516cf25ea4800fb3ddea483

SHA512
191cc3661bb9c8012f35e71211c84d3c81968154fff140b965e164549d15d2ba42a4f55f33feae32cc547df4e02c1e9d905552ace929739c0fea1d2a5d3aadcf

Download Submit
memory/536-268-0x0000000002E50000-0x0000000003017000-memory.dmp

Filesize
1.8MB

Download
memory/1912-536-0x0000000005F60000-0x0000000005FB6000-memory.dmp

Filesize
344KB

Download
memory/1912-590-0x0000000074020000-0x000000007403D000-memory.dmp

Filesize
116KB

Download
memory/1912-515-0x0000000076780000-0x0000000076A01000-memory.dmp

Filesize
2.5MB

Download
memory/1912-521-0x0000000075580000-0x0000000075663000-memory.dmp

Filesize
908KB

Download
memory/1912-511-0x0000000000190000-0x0000000002E45000-memory.dmp

Filesize
44.7MB

Download
memory/1912-522-0x0000000000190000-0x0000000002E45000-memory.dmp

Filesize
44.7MB

Download
memory/1912-523-0x0000000000190000-0x0000000002E45000-memory.dmp

Filesize
44.7MB

Download
memory/1912-524-0x0000000075170000-0x00000000751F9000-memory.dmp

Filesize
548KB

Download
memory/1912-526-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/1912-525-0x0000000005340000-0x000000000536A000-memory.dmp

Filesize
168KB

Download
memory/1912-527-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-528-0x0000000005410000-0x000000000554C000-memory.dmp

Filesize
1.2MB

Download
memory/1912-529-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-530-0x0000000005900000-0x0000000005916000-memory.dmp

Filesize
88KB

Download
memory/1912-531-0x0000000006020000-0x0000000006032000-memory.dmp

Filesize
72KB

Download
memory/1912-532-0x00000000060E0000-0x0000000006172000-memory.dmp

Filesize
584KB

Download
memory/1912-533-0x0000000075DE0000-0x0000000076393000-memory.dmp

Filesize
5.7MB

Download
memory/1912-535-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/1912-513-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1912-512-0x0000000006220000-0x0000000006267000-memory.dmp

Filesize
284KB

Download
memory/1912-537-0x0000000005940000-0x000000000594E000-memory.dmp

Filesize
56KB

Download
memory/1912-539-0x00000000098B0000-0x0000000009916000-memory.dmp

Filesize
408KB

Download
memory/1912-540-0x0000000009920000-0x00000000099EE000-memory.dmp

Filesize
824KB

Download
memory/1912-400-0x0000000000190000-0x0000000002E45000-memory.dmp

Filesize
44.7MB

Download
memory/1912-545-0x0000000009DE0000-0x0000000009DEA000-memory.dmp

Filesize
40KB

Download
memory/1912-546-0x0000000009E30000-0x0000000009E3A000-memory.dmp

Filesize
40KB

Download
memory/1912-547-0x0000000009E50000-0x0000000009F62000-memory.dmp

Filesize
1.1MB

Download
memory/1912-548-0x000000000B6C0000-0x000000000B704000-memory.dmp

Filesize
272KB

Download
memory/1912-549-0x000000000D650000-0x000000000D672000-memory.dmp

Filesize
136KB

Download
memory/1912-551-0x000000000D690000-0x000000000D6D8000-memory.dmp

Filesize
288KB

Download
memory/1912-550-0x000000000D630000-0x000000000D63E000-memory.dmp

Filesize
56KB

Download
memory/1912-552-0x000000006F440000-0x000000006F650000-memory.dmp

Filesize
2.1MB

Download
memory/1912-555-0x0000000075670000-0x0000000075694000-memory.dmp

Filesize
144KB

Download
memory/1912-560-0x0000000073DB0000-0x0000000073E02000-memory.dmp

Filesize
328KB

Download
memory/1912-575-0x00000000750B0000-0x00000000750C2000-memory.dmp

Filesize
72KB

Download
memory/1912-580-0x0000000075910000-0x0000000075916000-memory.dmp

Filesize
24KB

Download
memory/1912-581-0x0000000074CA0000-0x0000000074CC1000-memory.dmp

Filesize
132KB

Download
memory/1912-591-0x0000000076C60000-0x0000000076CA7000-memory.dmp

Filesize
284KB

Download
memory/1912-592-0x000000006EB50000-0x000000006EDC4000-memory.dmp

Filesize
2.5MB

Download
memory/1912-514-0x0000000077070000-0x0000000077285000-memory.dmp

Filesize
2.1MB

Download
memory/1912-589-0x0000000074010000-0x000000007401B000-memory.dmp

Filesize
44KB

Download
memory/1912-588-0x000000006EDD0000-0x000000006EF78000-memory.dmp

Filesize
1.7MB

Download
memory/1912-587-0x0000000074040000-0x000000007404A000-memory.dmp

Filesize
40KB

Download
memory/1912-585-0x000000006F650000-0x000000006F8F2000-memory.dmp

Filesize
2.6MB

Download
memory/1912-584-0x000000006FC90000-0x000000006FDF9000-memory.dmp

Filesize
1.4MB

Download
memory/1912-583-0x0000000073B80000-0x0000000073DAB000-memory.dmp

Filesize
2.2MB

Download
memory/1912-582-0x000000006FED0000-0x0000000070320000-memory.dmp

Filesize
4.3MB

Download
memory/1912-579-0x00000000740F0000-0x00000000741F5000-memory.dmp

Filesize
1.0MB

Download
memory/1912-578-0x0000000074F80000-0x0000000075042000-memory.dmp

Filesize
776KB

Download
memory/1912-577-0x0000000076680000-0x000000007677A000-memory.dmp

Filesize
1000KB

Download
memory/1912-576-0x00000000757C0000-0x0000000075823000-memory.dmp

Filesize
396KB

Download
memory/1912-574-0x0000000077050000-0x0000000077069000-memory.dmp

Filesize
100KB

Download
memory/1912-573-0x0000000075170000-0x00000000751F9000-memory.dmp

Filesize
548KB

Download
memory/1912-572-0x0000000075580000-0x0000000075663000-memory.dmp

Filesize
908KB

Download
memory/1912-569-0x0000000071EB0000-0x0000000072660000-memory.dmp

Filesize
7.7MB

Download
memory/1912-566-0x0000000074C10000-0x0000000074C9D000-memory.dmp

Filesize
564KB

Download
memory/1912-553-0x0000000000190000-0x0000000002E45000-memory.dmp

Filesize
44.7MB

Download
memory/1912-565-0x0000000075830000-0x0000000075875000-memory.dmp

Filesize
276KB

Download
memory/1912-564-0x0000000075120000-0x0000000075144000-memory.dmp

Filesize
144KB

Download
memory/1912-563-0x0000000077290000-0x0000000077326000-memory.dmp

Filesize
600KB

Download
memory/1912-561-0x0000000074E40000-0x0000000074EB4000-memory.dmp

Filesize
464KB

Download
memory/1912-571-0x0000000074B40000-0x0000000074BEB000-memory.dmp

Filesize
684KB

Download
memory/1912-570-0x0000000074BF0000-0x0000000074C04000-memory.dmp

Filesize
80KB

Download
memory/1912-567-0x0000000073F20000-0x0000000073F2F000-memory.dmp

Filesize
60KB

Download
memory/1912-568-0x0000000075150000-0x0000000075158000-memory.dmp

Filesize
32KB

Download
memory/1912-558-0x0000000076DA0000-0x0000000076E5F000-memory.dmp

Filesize
764KB

Download
memory/1912-557-0x0000000076BA0000-0x0000000076C5F000-memory.dmp

Filesize
764KB

Download
memory/1912-562-0x0000000076780000-0x0000000076A01000-memory.dmp

Filesize
2.5MB

Download
memory/1912-556-0x0000000076A10000-0x0000000076A8B000-memory.dmp

Filesize
492KB

Download
memory/1912-554-0x0000000077070000-0x0000000077285000-memory.dmp

Filesize
2.1MB

Download
memory/1912-593-0x000000000E2C0000-0x000000000E306000-memory.dmp

Filesize
280KB

Download
memory/1912-595-0x0000000077070000-0x0000000077285000-memory.dmp

Filesize
2.1MB

Download
memory/1912-602-0x0000000074E40000-0x0000000074EB4000-memory.dmp

Filesize
464KB

Download
memory/1912-603-0x0000000076780000-0x0000000076A01000-memory.dmp

Filesize
2.5MB

Download
memory/1912-601-0x0000000073DB0000-0x0000000073E02000-memory.dmp

Filesize
328KB

Download
memory/1912-598-0x0000000076BA0000-0x0000000076C5F000-memory.dmp

Filesize
764KB

Download
memory/1912-678-0x0000000000190000-0x0000000002E45000-memory.dmp

Filesize
44.7MB

Download