asyncrat | 13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Size

3.5MB
MD5

3d65c83ef6cd531b1cea119ebaed6d4e
SHA1

dd34510ec94ccca3aad65d9956e62d99e214e9f8
SHA256

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0
SHA512

a49634306f748433821dc246fe4624cb8f9ed1ba721ecb14ebddac9b13403d33cf58136bd2076d43abd40240166e96f91a14092b89fb962ab67fb69dd5711271
SSDEEP

98304:LVU8oNJUmv0ydoQK9q4YwjU4fyp/9EcdY11yyevzeXV:LVaOmiWV+11yyev

Score

10^/10

asyncrat defense_evasion discovery evasion persistence privilege_escalation rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1124	netsh.exe
4908	netsh.exe
1532	netsh.exe
3244	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	ExamShieldSetup.exe

Executes dropped EXE 13 IoCs

pid	Process
2736	ExamShieldSetup.exe
4656	ExamShieldSetup.exe
4632	ISBEW64.exe
4972	ISBEW64.exe
4868	ISBEW64.exe
3920	ISBEW64.exe
3152	ISBEW64.exe
4360	ISBEW64.exe
4700	ISBEW64.exe
4428	ISBEW64.exe
1592	ISBEW64.exe
4080	ISBEW64.exe
1164	ExamShield.exe

Loads dropped DLL 13 IoCs

pid	Process
4656	ExamShieldSetup.exe
3980	MsiExec.exe
3980	MsiExec.exe
4656	ExamShieldSetup.exe
4656	ExamShieldSetup.exe
4656	ExamShieldSetup.exe
4656	ExamShieldSetup.exe
4656	ExamShieldSetup.exe
4744	MsiExec.exe
4744	MsiExec.exe
4744	MsiExec.exe
4744	MsiExec.exe
1164	ExamShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	ExamShieldSetup.exe
File opened (read-only)	\??\L:	ExamShieldSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	ExamShieldSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	ExamShieldSetup.exe
File opened (read-only)	\??\Z:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	ExamShieldSetup.exe
File opened (read-only)	\??\X:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	ExamShieldSetup.exe
File opened (read-only)	\??\Y:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	ExamShieldSetup.exe
File opened (read-only)	\??\M:	ExamShieldSetup.exe
File opened (read-only)	\??\P:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	ExamShieldSetup.exe
File opened (read-only)	\??\R:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	ExamShieldSetup.exe
File opened (read-only)	\??\W:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1164	ExamShield.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA330.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA68D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF79.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a0cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a0cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA834.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC2C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a0d1.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Connections Discovery 1 TTPs 24 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2392	NETSTAT.EXE
2828	cmd.exe
3104	cmd.exe
2392	cmd.exe
3044	NETSTAT.EXE
3780	NETSTAT.EXE
1916	cmd.exe
4928	NETSTAT.EXE
4172	NETSTAT.EXE
5012	NETSTAT.EXE
532	cmd.exe
2264	cmd.exe
1964	cmd.exe
672	NETSTAT.EXE
516	cmd.exe
1712	NETSTAT.EXE
4460	NETSTAT.EXE
3084	cmd.exe
4252	NETSTAT.EXE
4928	NETSTAT.EXE
4600	cmd.exe
2560	NETSTAT.EXE
3196	cmd.exe
552	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000750203050573ea680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000750203050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090075020305000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d75020305000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007502030500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Gathers network information 2 TTPs 12 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4172	NETSTAT.EXE
2560	NETSTAT.EXE
1712	NETSTAT.EXE
5012	NETSTAT.EXE
3780	NETSTAT.EXE
4928	NETSTAT.EXE
672	NETSTAT.EXE
3044	NETSTAT.EXE
2392	NETSTAT.EXE
4460	NETSTAT.EXE
4252	NETSTAT.EXE
4928	NETSTAT.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\ = "URL:examshield"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command\	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1"	ExamShieldSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ExamShieldSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	ExamShieldSetup.exe
4656	ExamShieldSetup.exe
2900	msiexec.exe
2900	msiexec.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe
1164	ExamShield.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2900	msiexec.exe
Token: SeCreateTokenPrivilege	4656	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4656	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	4656	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	4656	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	4656	ExamShieldSetup.exe
Token: SeTcbPrivilege	4656	ExamShieldSetup.exe
Token: SeSecurityPrivilege	4656	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	4656	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	4656	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	4656	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	4656	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	4656	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	4656	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	4656	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	4656	ExamShieldSetup.exe
Token: SeBackupPrivilege	4656	ExamShieldSetup.exe
Token: SeRestorePrivilege	4656	ExamShieldSetup.exe
Token: SeShutdownPrivilege	4656	ExamShieldSetup.exe
Token: SeDebugPrivilege	4656	ExamShieldSetup.exe
Token: SeAuditPrivilege	4656	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	4656	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	4656	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	4656	ExamShieldSetup.exe
Token: SeUndockPrivilege	4656	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	4656	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	4656	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	4656	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	4656	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	4656	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	4656	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4656	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	4656	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	4656	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	4656	ExamShieldSetup.exe
Token: SeTcbPrivilege	4656	ExamShieldSetup.exe
Token: SeSecurityPrivilege	4656	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	4656	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	4656	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	4656	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	4656	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	4656	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	4656	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	4656	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	4656	ExamShieldSetup.exe
Token: SeBackupPrivilege	4656	ExamShieldSetup.exe
Token: SeRestorePrivilege	4656	ExamShieldSetup.exe
Token: SeShutdownPrivilege	4656	ExamShieldSetup.exe
Token: SeDebugPrivilege	4656	ExamShieldSetup.exe
Token: SeAuditPrivilege	4656	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	4656	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	4656	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	4656	ExamShieldSetup.exe
Token: SeUndockPrivilege	4656	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	4656	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	4656	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	4656	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	4656	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	4656	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	4656	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4656	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	4656	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	4656	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	4656	ExamShieldSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4636	msiexec.exe
4636	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4972	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
4972	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
4972	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2736	4972	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	98
PID 4972 wrote to memory of 2736	4972	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	98
PID 4972 wrote to memory of 2736	4972	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	98
PID 2736 wrote to memory of 4656	2736	ExamShieldSetup.exe	99
PID 2736 wrote to memory of 4656	2736	ExamShieldSetup.exe	99
PID 2736 wrote to memory of 4656	2736	ExamShieldSetup.exe	99
PID 2900 wrote to memory of 3980	2900	msiexec.exe	102
PID 2900 wrote to memory of 3980	2900	msiexec.exe	102
PID 2900 wrote to memory of 3980	2900	msiexec.exe	102
PID 4656 wrote to memory of 4632	4656	ExamShieldSetup.exe	103
PID 4656 wrote to memory of 4632	4656	ExamShieldSetup.exe	103
PID 4656 wrote to memory of 4972	4656	ExamShieldSetup.exe	104
PID 4656 wrote to memory of 4972	4656	ExamShieldSetup.exe	104
PID 4656 wrote to memory of 4868	4656	ExamShieldSetup.exe	105
PID 4656 wrote to memory of 4868	4656	ExamShieldSetup.exe	105
PID 4656 wrote to memory of 3920	4656	ExamShieldSetup.exe	106
PID 4656 wrote to memory of 3920	4656	ExamShieldSetup.exe	106
PID 4656 wrote to memory of 3152	4656	ExamShieldSetup.exe	107
PID 4656 wrote to memory of 3152	4656	ExamShieldSetup.exe	107
PID 4656 wrote to memory of 4360	4656	ExamShieldSetup.exe	108
PID 4656 wrote to memory of 4360	4656	ExamShieldSetup.exe	108
PID 4656 wrote to memory of 4700	4656	ExamShieldSetup.exe	109
PID 4656 wrote to memory of 4700	4656	ExamShieldSetup.exe	109
PID 4656 wrote to memory of 4428	4656	ExamShieldSetup.exe	110
PID 4656 wrote to memory of 4428	4656	ExamShieldSetup.exe	110
PID 4656 wrote to memory of 1592	4656	ExamShieldSetup.exe	111
PID 4656 wrote to memory of 1592	4656	ExamShieldSetup.exe	111
PID 4656 wrote to memory of 4080	4656	ExamShieldSetup.exe	112
PID 4656 wrote to memory of 4080	4656	ExamShieldSetup.exe	112
PID 4656 wrote to memory of 4636	4656	ExamShieldSetup.exe	113
PID 4656 wrote to memory of 4636	4656	ExamShieldSetup.exe	113
PID 4656 wrote to memory of 4636	4656	ExamShieldSetup.exe	113
PID 2900 wrote to memory of 4744	2900	msiexec.exe	121
PID 2900 wrote to memory of 4744	2900	msiexec.exe	121
PID 2900 wrote to memory of 4744	2900	msiexec.exe	121
PID 4656 wrote to memory of 3084	4656	ExamShieldSetup.exe	123
PID 4656 wrote to memory of 3084	4656	ExamShieldSetup.exe	123
PID 4656 wrote to memory of 3084	4656	ExamShieldSetup.exe	123
PID 3084 wrote to memory of 1532	3084	cmd.exe	125
PID 3084 wrote to memory of 1532	3084	cmd.exe	125
PID 3084 wrote to memory of 1532	3084	cmd.exe	125
PID 4656 wrote to memory of 3264	4656	ExamShieldSetup.exe	126
PID 4656 wrote to memory of 3264	4656	ExamShieldSetup.exe	126
PID 4656 wrote to memory of 3264	4656	ExamShieldSetup.exe	126
PID 3264 wrote to memory of 3244	3264	cmd.exe	128
PID 3264 wrote to memory of 3244	3264	cmd.exe	128
PID 3264 wrote to memory of 3244	3264	cmd.exe	128
PID 4656 wrote to memory of 3704	4656	ExamShieldSetup.exe	147
PID 4656 wrote to memory of 3704	4656	ExamShieldSetup.exe	147
PID 4656 wrote to memory of 3704	4656	ExamShieldSetup.exe	147
PID 3704 wrote to memory of 1124	3704	cmd.exe	131
PID 3704 wrote to memory of 1124	3704	cmd.exe	131
PID 3704 wrote to memory of 1124	3704	cmd.exe	131
PID 4656 wrote to memory of 3196	4656	ExamShieldSetup.exe	146
PID 4656 wrote to memory of 3196	4656	ExamShieldSetup.exe	146
PID 4656 wrote to memory of 3196	4656	ExamShieldSetup.exe	146
PID 3196 wrote to memory of 4908	3196	cmd.exe	134
PID 3196 wrote to memory of 4908	3196	cmd.exe	134
PID 3196 wrote to memory of 4908	3196	cmd.exe	134
PID 4656 wrote to memory of 1164	4656	ExamShieldSetup.exe	135
PID 4656 wrote to memory of 1164	4656	ExamShieldSetup.exe	135
PID 4656 wrote to memory of 1164	4656	ExamShieldSetup.exe	135
PID 4656 wrote to memory of 3660	4656	ExamShieldSetup.exe	137
PID 4656 wrote to memory of 3660	4656	ExamShieldSetup.exe	137

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
"C:\Users\Admin\AppData\Local\Temp\13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
  "C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\ExamShieldSetup.exe
    C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}" /z" LAUNCHEXAMSHIELD" /IS_temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8236DD0-E164-44DC-9A25-F5DD69ADFCFA}
      4⤵
      Executes dropped EXE
      PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5D3C0386-8DBF-4B8A-9474-7509D0AB8CC6}
      4⤵
      Executes dropped EXE
      PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34324089-4730-40B5-A560-4902BE5F50B1}
      4⤵
      Executes dropped EXE
      PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8A0561F-5B66-4B5F-A138-10C513472E7B}
      4⤵
      Executes dropped EXE
      PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFEFAE6-8243-4FB1-9B68-E5E40908D028}
      4⤵
      Executes dropped EXE
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{94768936-D26E-4134-881F-CEB0214ED1D3}
      4⤵
      Executes dropped EXE
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7E4E9822-DE0A-4441-938C-97EDD40141C0}
      4⤵
      Executes dropped EXE
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A0A9F29-3CD1-4B73-87CF-4A9925F75C85}
      4⤵
      Executes dropped EXE
      PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{410D372D-5034-4B52-8DFE-8B055D1ADAEB}
      4⤵
      Executes dropped EXE
      PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DD904256-9709-424F-BEBF-846D452519B5}
      4⤵
      Executes dropped EXE
      PID:4080
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="IN"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="OUT"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4908
  - - C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1164
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2392
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1712
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4600
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2560
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3196
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3704
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5012
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:532
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3044
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2264
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3780
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1916
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2392
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1964
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4460
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3084
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4928
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:552
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4252
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2828
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:672
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3104
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4928
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:516
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9AE609886D28645A92346AA04E41AEA4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 05E4DBBF4A921EC6860226221ADA2C44
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:648

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a0d0.rbs

Filesize
13KB

MD5
f77c04592c66f422b4005158ad38ad2e

SHA1
0aa68f7d393e53288c4fcc591f0fc3f9597e5bac

SHA256
99d5b74f9ddf2f9c4050d313f692ba85df06a9fbf062d67b6284bcf38935b862

SHA512
b37edc63d8659a9179ca53ddf5ce9e524252b5f925d25822ab91fb9130449dc4cc70264ee4ae5fe7c6107635de086a1762d73e5f1fc60ee28862dfed02f9b6f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
ce9a6874a76da10d24ad8bc4e20e3cf5

SHA1
3b27eb50a204d1e15d35342a9e9f8d9bc9fe69a2

SHA256
5ef7af52925ad2cfa6954bc78f37c121940dcb88884c12dc5ef330e0fa539929

SHA512
c3bfe608fef57bed48b8e52e18f028d925eef7d4afbdeb617ab1e9e7c5f97eb58290dc7edbb33b0907cd0150ae70ca4532aefc1ea22eac7dd5dae0c6c7e1e0ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
727B

MD5
a630301aed08e3a3923da80ec6877c6e

SHA1
262673b9194713a8c2493d0472d60bbd23c8ac2e

SHA256
cf75f499a3261ebd324d6fd2032d0a10929e8bf807edd899b2016f467d9d67cd

SHA512
f90cdbe880cd520d1f88281e3f9ae5fcadf5a72116df6cd9306b7114a9a4c7784375b53d5bab0b3ec5021a88ea95f7a68f0a4821f0226ec3f6f345e5f3b145f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
e6642a6fcf8fd3fbcd2d621728c4f1c5

SHA1
11d8ca735053cc90ce5aa1572a3b4780faedb464

SHA256
8ed8d126dbbc21d28a82318acb7d6df069357bfbe2ca5a2f2b3d155fcff958cf

SHA512
94576b8ea7940542e9c6fafbabdb308f0031c217c66d4444670e66809a84daa301ec56b8181e2becbc6855810cc35c6ee0115fb00fd4ed92bdd79df6bc6b4932

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
469b9d4d5b9316720f135d4364198248

SHA1
11b5210388a0b17319998b78accab42d08fca7f8

SHA256
9dfe758e20c5a9d63a321cbcbf2338d0debeef9af2b3ddc40b67f0edce7eb245

SHA512
96edbbe443a903d66e45a72652cfaedb5742834d5c2341d6f97b4d19f5025800a50cda6a643b720e406d727b9c251a9c56f2bd3eb3049713c3878b39b7a1d47c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
408B

MD5
c7724517c50f02ac5b803a39288fd623

SHA1
d0cc3be3f658839665adf3f76114927a0a5c9b29

SHA256
1afd429e24809e8d9d9d7e0dba0456da17822ee37abc08870f1e6b2aadfb8a8e

SHA512
47bfe2d45f4fe379dda9512cc9cb3a19d09ce7b304210e98e3c69dfecf1e99c5f51debaf57c575abf9664c058961b5b59c97b2d323bb52df5d42d2ff68507af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
7b4f446ad76f6d4876ccf67e7656e1d2

SHA1
c79ad75f3fa7b2d4036972e3704d10685fbf31ee

SHA256
617cab45a009568be1955082e8021347e10557ec3ba529ead99bd0293594856c

SHA512
9d189fcf385ef0468f63c65923c9ec6352b6d249ebc4fb5072a08a1b663bfad663621efb5a2a59ac06e12a3d03408056fd428f971d4e062de293359fb55c5430

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldParams.dat

Filesize
9B

MD5
9bab2b4c50d8359fc53c582d09ca21df

SHA1
9b2473d04fc51348aa20d1fedf5e629c43a0ada9

SHA256
9dbf8057012e99a692df37f984b92232c1aeee59ba9576be9f440d2ae0bef774

SHA512
c989409cb5c9fd74b66ec0a6c2d2a0f1166c2f7e379794bc7511119c53388baf60e37ef0b0f8f3b854283f832fc91147b63da46eb3cef22bc394946e34943a12

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe

Filesize
41.8MB

MD5
95846ce7c1cb570ef1ba75cfe7e4ed90

SHA1
f8488ddd1fc199cd2182e64b1e7c828c85c39426

SHA256
448cd7978f7b8bcc3ffd6049a9861f70f9167b4ec710d0722eb4910bcc043f9c

SHA512
82130cd5e395dfe50406c8f377b3d59e6937e185c19ddc0aa2fa1f30b65f9982f4545263b8e14afc36bc1fef76af0b3d48830ee79c8476c23179cb61c17ad81f

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat

Filesize
103B

MD5
ca0a346e58cc7f177fe9ab3a7abaff46

SHA1
0f5ed1b10b848731b7a7e19ac799b46c7eaaec44

SHA256
f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011

SHA512
858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat

Filesize
73B

MD5
10db042a6c5c43a13106a70f42c9eae0

SHA1
6351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9

SHA256
34b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74

SHA512
d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll

Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt

Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6F29.tmp

Filesize
832KB

MD5
913b6675436bf50376f6a56a396e18d2

SHA1
d3298e7c8165bdb6e175031e028f5a146bda7806

SHA256
74248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7

SHA512
281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is603F..dll

Filesize
2.5MB

MD5
776275f6e820cef1544c4b4d108a2fd2

SHA1
df9772159cc04e842636628c0a8e1029ce771cc8

SHA256
580467f266bd2e7c69a6ee288bcad2a1c843b4a0571a0df68ad2c15a4cfed691

SHA512
869d2caa001f965cf399ad9a2bdf4b9103fd6d9a697bec263efd2f02a78dcb9a328a4e295f025c549c72bbc258e790f7c139eeb49f0d6911ea25d31601b42f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss6489.tmp

Filesize
3.6MB

MD5
19470ab0e93ab0d702a8a6f7dec58aa7

SHA1
f1a85c2a7c8d49e14462bb8018ed6c664a3c515b

SHA256
5d55eabb4dc87f64861d6d226decb113bdd3c2af7ff8a11b81ab111191ea65a6

SHA512
4fdad6c9082a8bf1eacc5b2a68423d502212067bef094862c08f130b296f7f7155607cf21286dd9f8d5da544c69dcf842f7eb1ed65f3b9ffbf608e68581d52aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\ExamShield.msi

Filesize
28.6MB

MD5
56cdf21489801ecbffa8b284ad92b7a2

SHA1
ac521d25bb5b088f9e954fa82e07469b0c43aa2c

SHA256
0977c27bc8646cb53e199654f651a40ce4a5d973a3cf102f7abe68950765b0d0

SHA512
d7e24711b4cc2f99c5f7dc7e1a5a18e5caee0d390e5a1675d9f87b2666cc27007bd1a764c67b8c162611d1e57b5f5c8a70ba8be4e40e70e209f09c1c519f3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\IsConfig.ini

Filesize
167B

MD5
72c6f8ded560067c8619f17230a315b0

SHA1
7b188cb28c0e395f50c69a2d25305dfc20e3521d

SHA256
1c86f6e8b453b278e6fbfb35449baae81e38e0bee1bf9e2fa11ea8227cb90148

SHA512
9656dc4a72eeae47b6bb40aef2d194bc831d49fa2bc23e06e0e2332a12664a76c9817013550d4cfec99ca22e58ebefe4809026db3ff552b753fae62a6c0e3a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\_ISMSIDEL.INI

Filesize
632B

MD5
47c878ac18a20dc755d05cefc80877a7

SHA1
268b748ce0a0928259b522a37128f3b6bdad5b58

SHA256
37ab45d7d31f8d09c3e2856e5c912af22d84fb9817f6355871d18d9e805062de

SHA512
4e55857ad5fa4458e3b07a121ddfc4c6fc1c4abe0941dd3ca59d9e79d1cd307791bc1cded1d9ac623b40a4e432ac1775cdf7ceeb88110e9ed333995a15bbf79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\_ISMSIDEL.INI

Filesize
272B

MD5
dd2600b11cf61e7bdde14bd2d35065fe

SHA1
b9c4e3035c80bd97b95c12fe5db4f6bbe5690db2

SHA256
c473d6e9debe54d2e2338913b4c3fdd52164aca69b461a2d79aa6fff5945962b

SHA512
ff0e9d559bb439bafeda46c8664b55f1476143f11c2d00e798ff384d43b3ea32ace57a9c9dae5f15b80ea3d55bf2fe853b469ecc8fa2491ff1f6af796f5ec4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISBEW64.exe

Filesize
198KB

MD5
28857f9a5dc8af367e533076267f5b4d

SHA1
ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa

SHA256
9523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee

SHA512
8989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\ISRT.dll

Filesize
1.1MB

MD5
ff43031211486580947f25f293b8125b

SHA1
31030ea85fce86a7679f80771838d58df631c28c

SHA256
423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0

SHA512
42196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\Software License Agreement_EN.rtf

Filesize
7KB

MD5
2d4eaea4d9b564964e5e4aea88d48555

SHA1
2cad664a938cdc69e0c6d741575e5819733fc374

SHA256
93494ec77002f73f074bceeb91be9c4f805c1c07852db14d37729d81e0deefd0

SHA512
4ef21301822b3146984f975943e39a7875281d14b5f14f10fb4051be818115a0d54d02876658d279b820e72720d48983214b37abf1d888ac254be7be5b98cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\_isres_0x0409.dll

Filesize
1.8MB

MD5
8afdae8fe83d1a813b54e48230aed2db

SHA1
ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c

SHA256
d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6

SHA512
fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A970315C-7627-4F35-B1AD-E3433CFFAF7E}\{E91F30AE}\_isuser_0x0409.dll

Filesize
597KB

MD5
fbd1e1fa1b151fed2dd2cc9de143463c

SHA1
8d82009784d7f10384e3af5b5708d3a530f4f5d9

SHA256
98a1e05526d9688c1e3fc8beb1bcff3bf7c2072f48b0c6386f2454bc18f81330

SHA512
d98acc69f8b575018bfb15d1bde42a8ae3e1b6316371e1f34b00d66bd314d07350b2c9b1e9b7c21a406a89de09ac08098129aeae1453e5307b03d0d338f57357

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4D71.tmp

Filesize
6KB

MD5
d35bbcf352d975a778552c833d98939b

SHA1
d42f160a63deae6add1b0b55d687ddf25012ec72

SHA256
9f2d22e5387d4b0d45bff77c55a0e71a0ca82c5c1ed613489df143f09b7f54cc

SHA512
dac680936fac3f899bdb7f8676af8f9d708a4017c13f885ca9128e3a5b15e028f58421c147377fc132af1ac7fa84322597e1374f4ea538dd3a9fe350bc245b93

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.exe

Filesize
1.3MB

MD5
81bfed45ec6eb44dca9797e7b42fc449

SHA1
07d0f587f4c8cb8a8aa81fffc7cb44314514abc1

SHA256
5cbaabb43220546b55946f9cfca80016b58b780fa7f0eff7e7b0c69d7ae1c8fb

SHA512
c5ca735543cc2a4709398e0c955b32f9d88d73d29577817f7d9556f008a6f5b5bb4d99c2f698e6fd342453d741514eace38993258dfcc5c5b15d59d8a6d7050a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.ini

Filesize
5KB

MD5
a17b1c29e72519c7385a622578565e8f

SHA1
d7458fae32fa23ea7c278b9d80cab69aa5b352d5

SHA256
7bf944db58861318d198a6b6ebf1110c00ab93dcb52a7ec922ba393d7b0a6ca6

SHA512
4446371fe00f192aed8fb9f3de6618e6cee05e742be28e5ebf28226b1c0a92158bc07a55ff71620597607fb29e074e90874ee8c2d62b4b8092601400f965d6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll

Filesize
21KB

MD5
121dbf33b0d3bb167e3f8a9773633a3d

SHA1
b9fc193731c7d23ec400e4436525d9222a755c27

SHA256
4a45fa78482d181bf761a852de9b6386841b33cf5c9489c8e4796da4e06b8abf

SHA512
c17bdefe3b8f6922d20edfa4c61b16dbb472d15bc27c7edc3a68e4b5ddc1d4978badf9a7b88500b3ec359421a46a92d85b26c9eb0175a969f69c5048a7a01458

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe

Filesize
19.6MB

MD5
652f27cf21266d7786a8e1ccbe7299b2

SHA1
d8d1c2f147c1c1c6958b876570a5b94370c1edc1

SHA256
1e38d80c1aa39c72170562b76320d24dc194a940d5d7c7f0cc2f218b34a15f71

SHA512
c0ba371d230b217661afe4485750155218e053995ff6e1e09ab777c7121f0cd7307868caa988ac95e4a2e6d33afa52b82364732f25220cea8e0f2fbba2f07cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\VP8.dll

Filesize
447KB

MD5
2319331fd9f77352804c3faf6cd3ebae

SHA1
35757a3ac4c6af5e81357f18f04f9f01614a7dfe

SHA256
f20ae03124000f8f1c12dc94a90239c684d78c682245362a0f6db26acd3250fa

SHA512
75124f0bc0bc95b03d569a2832a5772df008f7872744c77e6b95a766d9dfa438f5d2f665cd052c797df03e521e820f16e19bfbf829b6d32d258acb139da18fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\opusGeneric.dll

Filesize
365KB

MD5
24fcbc8ad136be0c41d577b7e04f0c32

SHA1
7e8313c7f94f2814eae99afd2e538950771ba578

SHA256
2c40aa70e5db750a7da2dc22c4dc5d57f60be1df019268c5de2434909cce9820

SHA512
c5cbd352b524eb6b2ec6f032edc9ca0bd99a22902ea6e829b5cf6f20f1071886e750085142d94389b6cde09c3b429299d2aab81375278b6c24b4b59d3a6446a9

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\uninstall.ico

Filesize
24KB

MD5
279e6e80c39add675219c447f9c1f381

SHA1
8287588124e8f8a6c94435e44344e3ee7062c4be

SHA256
22af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527

SHA512
477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce

Download Submit
C:\Windows\Installer\MSIA68D.tmp

Filesize
626KB

MD5
95bf357fe831c0a89c6a3e3044660e94

SHA1
fa10a0dc55062b5a102eed06344491dc4adbff61

SHA256
2d6216e7a67b854e2048d10d3bc49dca7bd9fe814516cf25ea4800fb3ddea483

SHA512
191cc3661bb9c8012f35e71211c84d3c81968154fff140b965e164549d15d2ba42a4f55f33feae32cc547df4e02c1e9d905552ace929739c0fea1d2a5d3aadcf

Download Submit
memory/1164-537-0x0000000009720000-0x0000000009786000-memory.dmp

Filesize
408KB

Download
memory/1164-578-0x0000000074970000-0x0000000074991000-memory.dmp

Filesize
132KB

Download
memory/1164-512-0x0000000075880000-0x0000000075A95000-memory.dmp

Filesize
2.1MB

Download
memory/1164-513-0x0000000075C20000-0x0000000075EA1000-memory.dmp

Filesize
2.5MB

Download
memory/1164-514-0x00000000772B0000-0x0000000077393000-memory.dmp

Filesize
908KB

Download
memory/1164-420-0x0000000000DC0000-0x0000000003A75000-memory.dmp

Filesize
44.7MB

Download
memory/1164-520-0x0000000000DC0000-0x0000000003A75000-memory.dmp

Filesize
44.7MB

Download
memory/1164-521-0x0000000000DC0000-0x0000000003A75000-memory.dmp

Filesize
44.7MB

Download
memory/1164-522-0x0000000074DA0000-0x0000000074E29000-memory.dmp

Filesize
548KB

Download
memory/1164-524-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/1164-525-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/1164-523-0x0000000005470000-0x000000000549A000-memory.dmp

Filesize
168KB

Download
memory/1164-526-0x00000000055A0000-0x00000000056DC000-memory.dmp

Filesize
1.2MB

Download
memory/1164-527-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/1164-528-0x0000000005580000-0x0000000005596000-memory.dmp

Filesize
88KB

Download
memory/1164-529-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

Filesize
72KB

Download
memory/1164-530-0x0000000008AA0000-0x0000000008B32000-memory.dmp

Filesize
584KB

Download
memory/1164-531-0x00000000764E0000-0x0000000076A93000-memory.dmp

Filesize
5.7MB

Download
memory/1164-533-0x0000000005A40000-0x0000000005A4A000-memory.dmp

Filesize
40KB

Download
memory/1164-534-0x0000000006160000-0x00000000061B6000-memory.dmp

Filesize
344KB

Download
memory/1164-511-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1164-535-0x0000000005A70000-0x0000000005A7E000-memory.dmp

Filesize
56KB

Download
memory/1164-398-0x0000000000DC0000-0x0000000003A75000-memory.dmp

Filesize
44.7MB

Download
memory/1164-717-0x0000000000DC0000-0x0000000003A75000-memory.dmp

Filesize
44.7MB

Download
memory/1164-538-0x0000000009890000-0x000000000995E000-memory.dmp

Filesize
824KB

Download
memory/1164-544-0x0000000009F00000-0x0000000009F0A000-memory.dmp

Filesize
40KB

Download
memory/1164-545-0x0000000009F20000-0x000000000A032000-memory.dmp

Filesize
1.1MB

Download
memory/1164-543-0x0000000009E90000-0x0000000009E9A000-memory.dmp

Filesize
40KB

Download
memory/1164-546-0x0000000006300000-0x0000000006344000-memory.dmp

Filesize
272KB

Download
memory/1164-550-0x000000000D5A0000-0x000000000D5E8000-memory.dmp

Filesize
288KB

Download
memory/1164-549-0x000000000CD10000-0x000000000CD1E000-memory.dmp

Filesize
56KB

Download
memory/1164-548-0x000000000CD40000-0x000000000CD62000-memory.dmp

Filesize
136KB

Download
memory/1164-552-0x0000000075880000-0x0000000075A95000-memory.dmp

Filesize
2.1MB

Download
memory/1164-553-0x0000000076C00000-0x0000000076C24000-memory.dmp

Filesize
144KB

Download
memory/1164-563-0x0000000076E60000-0x0000000076EA5000-memory.dmp

Filesize
276KB

Download
memory/1164-562-0x00000000753F0000-0x0000000075414000-memory.dmp

Filesize
144KB

Download
memory/1164-555-0x00000000763C0000-0x000000007647F000-memory.dmp

Filesize
764KB

Download
memory/1164-554-0x0000000075AA0000-0x0000000075B1B000-memory.dmp

Filesize
492KB

Download
memory/1164-561-0x00000000774A0000-0x0000000077536000-memory.dmp

Filesize
600KB

Download
memory/1164-566-0x0000000075420000-0x0000000075428000-memory.dmp

Filesize
32KB

Download
memory/1164-567-0x00000000721A0000-0x0000000072950000-memory.dmp

Filesize
7.7MB

Download
memory/1164-510-0x0000000004F90000-0x0000000004FD7000-memory.dmp

Filesize
284KB

Download
memory/1164-582-0x0000000074520000-0x000000007452A000-memory.dmp

Filesize
40KB

Download
memory/1164-551-0x0000000000DC0000-0x0000000003A75000-memory.dmp

Filesize
44.7MB

Download
memory/1164-587-0x000000006F6B0000-0x000000006F952000-memory.dmp

Filesize
2.6MB

Download
memory/1164-586-0x0000000076AC0000-0x0000000076B07000-memory.dmp

Filesize
284KB

Download
memory/1164-585-0x00000000744F0000-0x00000000744FB000-memory.dmp

Filesize
44KB

Download
memory/1164-584-0x0000000074500000-0x000000007451D000-memory.dmp

Filesize
116KB

Download
memory/1164-583-0x000000006F960000-0x000000006FB08000-memory.dmp

Filesize
1.7MB

Download
memory/1164-581-0x0000000074100000-0x0000000074269000-memory.dmp

Filesize
1.4MB

Download
memory/1164-580-0x00000000745A0000-0x00000000747CB000-memory.dmp

Filesize
2.2MB

Download
memory/1164-579-0x0000000072E30000-0x0000000073280000-memory.dmp

Filesize
4.3MB

Download
memory/1164-577-0x0000000075870000-0x0000000075876000-memory.dmp

Filesize
24KB

Download
memory/1164-575-0x00000000773A0000-0x000000007749A000-memory.dmp

Filesize
1000KB

Download
memory/1164-574-0x0000000075EB0000-0x0000000075F13000-memory.dmp

Filesize
396KB

Download
memory/1164-573-0x0000000073A00000-0x0000000073A12000-memory.dmp

Filesize
72KB

Download
memory/1164-572-0x0000000075BA0000-0x0000000075BB9000-memory.dmp

Filesize
100KB

Download
memory/1164-570-0x00000000772B0000-0x0000000077393000-memory.dmp

Filesize
908KB

Download
memory/1164-569-0x0000000074E30000-0x0000000074EDB000-memory.dmp

Filesize
684KB

Download
memory/1164-568-0x0000000074EE0000-0x0000000074EF4000-memory.dmp

Filesize
80KB

Download
memory/1164-571-0x0000000074DA0000-0x0000000074E29000-memory.dmp

Filesize
548KB

Download
memory/1164-565-0x00000000754E0000-0x00000000754EF000-memory.dmp

Filesize
60KB

Download
memory/1164-564-0x0000000074F00000-0x0000000074F8D000-memory.dmp

Filesize
564KB

Download
memory/1164-560-0x0000000075C20000-0x0000000075EA1000-memory.dmp

Filesize
2.5MB

Download
memory/1164-559-0x0000000075460000-0x00000000754D4000-memory.dmp

Filesize
464KB

Download
memory/1164-558-0x0000000074090000-0x00000000740E2000-memory.dmp

Filesize
328KB

Download
memory/1164-556-0x0000000077140000-0x00000000771FF000-memory.dmp

Filesize
764KB

Download
memory/1164-576-0x0000000074F90000-0x0000000075095000-memory.dmp

Filesize
1.0MB

Download
memory/1164-588-0x000000006F4A0000-0x000000006F6B0000-memory.dmp

Filesize
2.1MB

Download
memory/1164-589-0x000000000E500000-0x000000000E546000-memory.dmp

Filesize
280KB

Download
memory/1164-597-0x0000000074090000-0x00000000740E2000-memory.dmp

Filesize
328KB

Download
memory/1164-599-0x0000000075C20000-0x0000000075EA1000-memory.dmp

Filesize
2.5MB

Download
memory/1164-607-0x0000000074EE0000-0x0000000074EF4000-memory.dmp

Filesize
80KB

Download
memory/1164-606-0x00000000721A0000-0x0000000072950000-memory.dmp

Filesize
7.7MB

Download
memory/1164-603-0x0000000074F00000-0x0000000074F8D000-memory.dmp

Filesize
564KB

Download
memory/1164-598-0x0000000075460000-0x00000000754D4000-memory.dmp

Filesize
464KB

Download
memory/1164-595-0x0000000077140000-0x00000000771FF000-memory.dmp

Filesize
764KB

Download
memory/1164-591-0x0000000075880000-0x0000000075A95000-memory.dmp

Filesize
2.1MB

Download
memory/1164-600-0x00000000774A0000-0x0000000077536000-memory.dmp

Filesize
600KB

Download
memory/1164-594-0x00000000763C0000-0x000000007647F000-memory.dmp

Filesize
764KB

Download
memory/4656-266-0x0000000006040000-0x0000000006207000-memory.dmp

Filesize
1.8MB

Download