asyncrat | 13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Size

3.5MB
MD5

3d65c83ef6cd531b1cea119ebaed6d4e
SHA1

dd34510ec94ccca3aad65d9956e62d99e214e9f8
SHA256

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0
SHA512

a49634306f748433821dc246fe4624cb8f9ed1ba721ecb14ebddac9b13403d33cf58136bd2076d43abd40240166e96f91a14092b89fb962ab67fb69dd5711271
SSDEEP

98304:LVU8oNJUmv0ydoQK9q4YwjU4fyp/9EcdY11yyevzeXV:LVaOmiWV+11yyev

Score

10^/10

asyncrat defense_evasion discovery evasion persistence privilege_escalation rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1372	netsh.exe
4540	netsh.exe
684	netsh.exe
3016	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	ExamShieldSetup.exe

Executes dropped EXE 13 IoCs

pid	Process
2180	ExamShieldSetup.exe
1644	ExamShieldSetup.exe
3384	ISBEW64.exe
208	ISBEW64.exe
2456	ISBEW64.exe
1468	ISBEW64.exe
1336	ISBEW64.exe
4344	ISBEW64.exe
3744	ISBEW64.exe
868	ISBEW64.exe
4112	ISBEW64.exe
3724	ISBEW64.exe
2708	ExamShield.exe

Loads dropped DLL 13 IoCs

pid	Process
1644	ExamShieldSetup.exe
4524	MsiExec.exe
4524	MsiExec.exe
1644	ExamShieldSetup.exe
1644	ExamShieldSetup.exe
1644	ExamShieldSetup.exe
1644	ExamShieldSetup.exe
1644	ExamShieldSetup.exe
1284	MsiExec.exe
1284	MsiExec.exe
1284	MsiExec.exe
1284	MsiExec.exe
2708	ExamShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	ExamShieldSetup.exe
File opened (read-only)	\??\I:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	ExamShieldSetup.exe
File opened (read-only)	\??\Y:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	ExamShieldSetup.exe
File opened (read-only)	\??\W:	ExamShieldSetup.exe
File opened (read-only)	\??\Z:	ExamShieldSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	ExamShieldSetup.exe
File opened (read-only)	\??\U:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	ExamShieldSetup.exe
File opened (read-only)	\??\V:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	ExamShieldSetup.exe
File opened (read-only)	\??\J:	ExamShieldSetup.exe
File opened (read-only)	\??\L:	ExamShieldSetup.exe
File opened (read-only)	\??\M:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	ExamShieldSetup.exe
File opened (read-only)	\??\R:	ExamShieldSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	ExamShieldSetup.exe
File opened (read-only)	\??\X:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2708	ExamShield.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1093.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e58fe12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45B.tmp	msiexec.exe
File created	C:\Windows\Installer\e58fe14.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI141F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58fe12.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Connections Discovery 1 TTPs 12 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4248	cmd.exe
4392	NETSTAT.EXE
528	NETSTAT.EXE
4184	cmd.exe
1748	NETSTAT.EXE
5084	NETSTAT.EXE
760	cmd.exe
3980	cmd.exe
4060	NETSTAT.EXE
4236	cmd.exe
3604	cmd.exe
1848	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000750203050573ea680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000750203050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090075020305000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d75020305000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007502030500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5084	NETSTAT.EXE
4392	NETSTAT.EXE
1848	NETSTAT.EXE
528	NETSTAT.EXE
4060	NETSTAT.EXE
1748	NETSTAT.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1"	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command\	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\ = "URL:examshield"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\URL Protocol	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\examshield\shell\open\command	ExamShieldSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	ExamShieldSetup.exe
1644	ExamShieldSetup.exe
740	msiexec.exe
740	msiexec.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe
2708	ExamShield.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	740	msiexec.exe
Token: SeCreateTokenPrivilege	1644	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1644	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	1644	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	1644	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	1644	ExamShieldSetup.exe
Token: SeTcbPrivilege	1644	ExamShieldSetup.exe
Token: SeSecurityPrivilege	1644	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	1644	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	1644	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	1644	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	1644	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	1644	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	1644	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	1644	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	1644	ExamShieldSetup.exe
Token: SeBackupPrivilege	1644	ExamShieldSetup.exe
Token: SeRestorePrivilege	1644	ExamShieldSetup.exe
Token: SeShutdownPrivilege	1644	ExamShieldSetup.exe
Token: SeDebugPrivilege	1644	ExamShieldSetup.exe
Token: SeAuditPrivilege	1644	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	1644	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	1644	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	1644	ExamShieldSetup.exe
Token: SeUndockPrivilege	1644	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	1644	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	1644	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	1644	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	1644	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	1644	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	1644	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1644	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	1644	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	1644	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	1644	ExamShieldSetup.exe
Token: SeTcbPrivilege	1644	ExamShieldSetup.exe
Token: SeSecurityPrivilege	1644	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	1644	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	1644	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	1644	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	1644	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	1644	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	1644	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	1644	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	1644	ExamShieldSetup.exe
Token: SeBackupPrivilege	1644	ExamShieldSetup.exe
Token: SeRestorePrivilege	1644	ExamShieldSetup.exe
Token: SeShutdownPrivilege	1644	ExamShieldSetup.exe
Token: SeDebugPrivilege	1644	ExamShieldSetup.exe
Token: SeAuditPrivilege	1644	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	1644	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	1644	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	1644	ExamShieldSetup.exe
Token: SeUndockPrivilege	1644	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	1644	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	1644	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	1644	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	1644	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	1644	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	1644	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1644	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	1644	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	1644	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	1644	ExamShieldSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3852	msiexec.exe
3852	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4392	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
4392	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
4392	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 2180	4392	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	97
PID 4392 wrote to memory of 2180	4392	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	97
PID 4392 wrote to memory of 2180	4392	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	97
PID 2180 wrote to memory of 1644	2180	ExamShieldSetup.exe	98
PID 2180 wrote to memory of 1644	2180	ExamShieldSetup.exe	98
PID 2180 wrote to memory of 1644	2180	ExamShieldSetup.exe	98
PID 740 wrote to memory of 4524	740	msiexec.exe	101
PID 740 wrote to memory of 4524	740	msiexec.exe	101
PID 740 wrote to memory of 4524	740	msiexec.exe	101
PID 1644 wrote to memory of 3384	1644	ExamShieldSetup.exe	102
PID 1644 wrote to memory of 3384	1644	ExamShieldSetup.exe	102
PID 1644 wrote to memory of 208	1644	ExamShieldSetup.exe	103
PID 1644 wrote to memory of 208	1644	ExamShieldSetup.exe	103
PID 1644 wrote to memory of 2456	1644	ExamShieldSetup.exe	104
PID 1644 wrote to memory of 2456	1644	ExamShieldSetup.exe	104
PID 1644 wrote to memory of 1468	1644	ExamShieldSetup.exe	105
PID 1644 wrote to memory of 1468	1644	ExamShieldSetup.exe	105
PID 1644 wrote to memory of 1336	1644	ExamShieldSetup.exe	106
PID 1644 wrote to memory of 1336	1644	ExamShieldSetup.exe	106
PID 1644 wrote to memory of 4344	1644	ExamShieldSetup.exe	107
PID 1644 wrote to memory of 4344	1644	ExamShieldSetup.exe	107
PID 1644 wrote to memory of 3744	1644	ExamShieldSetup.exe	108
PID 1644 wrote to memory of 3744	1644	ExamShieldSetup.exe	108
PID 1644 wrote to memory of 868	1644	ExamShieldSetup.exe	109
PID 1644 wrote to memory of 868	1644	ExamShieldSetup.exe	109
PID 1644 wrote to memory of 4112	1644	ExamShieldSetup.exe	110
PID 1644 wrote to memory of 4112	1644	ExamShieldSetup.exe	110
PID 1644 wrote to memory of 3724	1644	ExamShieldSetup.exe	111
PID 1644 wrote to memory of 3724	1644	ExamShieldSetup.exe	111
PID 1644 wrote to memory of 3852	1644	ExamShieldSetup.exe	112
PID 1644 wrote to memory of 3852	1644	ExamShieldSetup.exe	112
PID 1644 wrote to memory of 3852	1644	ExamShieldSetup.exe	112
PID 740 wrote to memory of 1284	740	msiexec.exe	120
PID 740 wrote to memory of 1284	740	msiexec.exe	120
PID 740 wrote to memory of 1284	740	msiexec.exe	120
PID 1644 wrote to memory of 2028	1644	ExamShieldSetup.exe	122
PID 1644 wrote to memory of 2028	1644	ExamShieldSetup.exe	122
PID 1644 wrote to memory of 2028	1644	ExamShieldSetup.exe	122
PID 2028 wrote to memory of 4540	2028	cmd.exe	124
PID 2028 wrote to memory of 4540	2028	cmd.exe	124
PID 2028 wrote to memory of 4540	2028	cmd.exe	124
PID 1644 wrote to memory of 4544	1644	ExamShieldSetup.exe	125
PID 1644 wrote to memory of 4544	1644	ExamShieldSetup.exe	125
PID 1644 wrote to memory of 4544	1644	ExamShieldSetup.exe	125
PID 4544 wrote to memory of 684	4544	cmd.exe	127
PID 4544 wrote to memory of 684	4544	cmd.exe	127
PID 4544 wrote to memory of 684	4544	cmd.exe	127
PID 1644 wrote to memory of 4896	1644	ExamShieldSetup.exe	128
PID 1644 wrote to memory of 4896	1644	ExamShieldSetup.exe	128
PID 1644 wrote to memory of 4896	1644	ExamShieldSetup.exe	128
PID 4896 wrote to memory of 3016	4896	cmd.exe	130
PID 4896 wrote to memory of 3016	4896	cmd.exe	130
PID 4896 wrote to memory of 3016	4896	cmd.exe	130
PID 1644 wrote to memory of 3240	1644	ExamShieldSetup.exe	131
PID 1644 wrote to memory of 3240	1644	ExamShieldSetup.exe	131
PID 1644 wrote to memory of 3240	1644	ExamShieldSetup.exe	131
PID 3240 wrote to memory of 1372	3240	cmd.exe	139
PID 3240 wrote to memory of 1372	3240	cmd.exe	139
PID 3240 wrote to memory of 1372	3240	cmd.exe	139
PID 1644 wrote to memory of 2708	1644	ExamShieldSetup.exe	134
PID 1644 wrote to memory of 2708	1644	ExamShieldSetup.exe	134
PID 1644 wrote to memory of 2708	1644	ExamShieldSetup.exe	134
PID 1644 wrote to memory of 3320	1644	ExamShieldSetup.exe	137
PID 1644 wrote to memory of 3320	1644	ExamShieldSetup.exe	137

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
"C:\Users\Admin\AppData\Local\Temp\13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
  "C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\ExamShieldSetup.exe
    C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}" /z" LAUNCHEXAMSHIELD" /IS_temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E4AB29CA-97B5-41D6-B0EE-E815B31A8DF6}
      4⤵
      Executes dropped EXE
      PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CEB40D9D-A014-481F-9941-F9AF32B989B0}
      4⤵
      Executes dropped EXE
      PID:208
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{38F8FEFE-4CB2-48CB-A542-B5E0E098FD00}
      4⤵
      Executes dropped EXE
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EEDDC87F-085D-4FE1-84A3-E705FA36B643}
      4⤵
      Executes dropped EXE
      PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D4494CED-3CEE-4EF0-9D76-98E927381C68}
      4⤵
      Executes dropped EXE
      PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2633C40-7573-49F2-8BE8-991355924996}
      4⤵
      Executes dropped EXE
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07386FAB-9371-4292-9E51-AEFA04576526}
      4⤵
      Executes dropped EXE
      PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{78CC9C50-95D3-4B9E-ACA5-FE4F614CAA28}
      4⤵
      Executes dropped EXE
      PID:868
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7CE726D6-F9A4-4F78-9210-4483AE84BF5E}
      4⤵
      Executes dropped EXE
      PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{47BBA09E-FC35-48AA-B09F-F6C69121DD0A}
      4⤵
      Executes dropped EXE
      PID:3724
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="IN"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="OUT"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1372
  - - C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2708
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4184
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1748
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4236
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3604
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4392
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4248
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1848
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3980
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:528
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:760
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6B9D360E2A55583C0475D47C0FF50A95 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4C2E9312D8E53B97B768A67B1D16DC7E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3108

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58fe13.rbs

Filesize
13KB

MD5
8288184a88d0ffd2c7dc70ba0cfdbd86

SHA1
5b64f1c6d8addcbfc3ce512413bff8a643d4de68

SHA256
d46b5ec426dce94fcf6f2c9500ab2cdc79eed0482230b2722bfaeff3d0ce56c5

SHA512
ab2d492d94265ddb39dc24f570a22e0f26134dcf75f8e7f1dec5f2ea5b40a1d9faa8a824c1f448d708cb1cf53a6f9446a38be0400240cd726d8a44afa0de44f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
ce9a6874a76da10d24ad8bc4e20e3cf5

SHA1
3b27eb50a204d1e15d35342a9e9f8d9bc9fe69a2

SHA256
5ef7af52925ad2cfa6954bc78f37c121940dcb88884c12dc5ef330e0fa539929

SHA512
c3bfe608fef57bed48b8e52e18f028d925eef7d4afbdeb617ab1e9e7c5f97eb58290dc7edbb33b0907cd0150ae70ca4532aefc1ea22eac7dd5dae0c6c7e1e0ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
727B

MD5
dae180b82a0d9c10059486fcda17b928

SHA1
47c737e246fe7f24661b9c4a5a9d2fb2c118d8e0

SHA256
e7bc0fc27e7b89e1ee0038b9a2b35e2261798749dc86cf09e9000677429f3329

SHA512
cf97e849bf4858864bdd1d7277105ed762bc5cb17da3775a71652c2b61803a518ab5476f5a2d152739d3e7055ae6ac28d0ec5574d765bc595c907db6b0b75121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
16aca8f094a2ff8d3583c5ffa6794c13

SHA1
ddc31408896006459d03b4ca884c16f1b5ea75c1

SHA256
18bcf914006e1367c2f1dfe94b5bcc497a0c731f95a546c8a7742df4cf4a99ff

SHA512
42b0f7d4d8e7f2dd54f26945467a73c1bb02a1dbdd6b975d389fc96a263e7c944ca443baca215fd6a1bb1d2b81d3cff8295cdd9bd5050291303a4ed2dff09a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
6837c3d282f290e1a0d92bd2330485cb

SHA1
ed5455114028b2d2d5077503d015d3d6791fe1ed

SHA256
bae8180b6b3d6bcf50643c942f0325a95003abd2b0e289e7b594d07601b9d864

SHA512
87d712162dfd22909f31e0d014994158b2a8e40b71b14b5dd38701a906bf9fb5c467620f17f9a7fc4e8ee3d8064b6416054f72d9b7df04fb8a8ae638c81dd70f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
408B

MD5
363fea7b2830b42f5e6f4be1c326f43e

SHA1
46bba421771f561bbb0953c5e70437abd4f37ed0

SHA256
6666ed14610bf23c9dcdd3ec9bc197f127157dd20502b890f732986d1f7adaf5

SHA512
21f8902b51edbda1c3279b15857a11b0655216f019104c7fcde36471edc50060dac9ef8b5a6926d9e5d67ca1df4c1206924350fd629b87cfb2bb3843a43464f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
a0e113db1fe5bfb411b147a0ae34f915

SHA1
b7100f227228422ff994d57b79fddbe9fc775e13

SHA256
8a405e84f0383b73ee958a811669fa3efa51149e1f58e9c4ddc2de04d165a562

SHA512
16d5652bb6939eee803bb2a1552256b08fef5ed6bb22b5077fe578bcbace3101867102219e9592de2cc58419b1e8bc5ca701968669e890766b2808e010f287e3

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldParams.dat

Filesize
9B

MD5
9bab2b4c50d8359fc53c582d09ca21df

SHA1
9b2473d04fc51348aa20d1fedf5e629c43a0ada9

SHA256
9dbf8057012e99a692df37f984b92232c1aeee59ba9576be9f440d2ae0bef774

SHA512
c989409cb5c9fd74b66ec0a6c2d2a0f1166c2f7e379794bc7511119c53388baf60e37ef0b0f8f3b854283f832fc91147b63da46eb3cef22bc394946e34943a12

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe

Filesize
41.8MB

MD5
95846ce7c1cb570ef1ba75cfe7e4ed90

SHA1
f8488ddd1fc199cd2182e64b1e7c828c85c39426

SHA256
448cd7978f7b8bcc3ffd6049a9861f70f9167b4ec710d0722eb4910bcc043f9c

SHA512
82130cd5e395dfe50406c8f377b3d59e6937e185c19ddc0aa2fa1f30b65f9982f4545263b8e14afc36bc1fef76af0b3d48830ee79c8476c23179cb61c17ad81f

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat

Filesize
103B

MD5
ca0a346e58cc7f177fe9ab3a7abaff46

SHA1
0f5ed1b10b848731b7a7e19ac799b46c7eaaec44

SHA256
f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011

SHA512
858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat

Filesize
73B

MD5
10db042a6c5c43a13106a70f42c9eae0

SHA1
6351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9

SHA256
34b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74

SHA512
d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll

Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt

Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI81F6.tmp

Filesize
832KB

MD5
913b6675436bf50376f6a56a396e18d2

SHA1
d3298e7c8165bdb6e175031e028f5a146bda7806

SHA256
74248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7

SHA512
281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is5717..dll

Filesize
2.5MB

MD5
776275f6e820cef1544c4b4d108a2fd2

SHA1
df9772159cc04e842636628c0a8e1029ce771cc8

SHA256
580467f266bd2e7c69a6ee288bcad2a1c843b4a0571a0df68ad2c15a4cfed691

SHA512
869d2caa001f965cf399ad9a2bdf4b9103fd6d9a697bec263efd2f02a78dcb9a328a4e295f025c549c72bbc258e790f7c139eeb49f0d6911ea25d31601b42f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss6BBD.tmp

Filesize
3.6MB

MD5
19470ab0e93ab0d702a8a6f7dec58aa7

SHA1
f1a85c2a7c8d49e14462bb8018ed6c664a3c515b

SHA256
5d55eabb4dc87f64861d6d226decb113bdd3c2af7ff8a11b81ab111191ea65a6

SHA512
4fdad6c9082a8bf1eacc5b2a68423d502212067bef094862c08f130b296f7f7155607cf21286dd9f8d5da544c69dcf842f7eb1ed65f3b9ffbf608e68581d52aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\ExamShield.msi

Filesize
28.6MB

MD5
56cdf21489801ecbffa8b284ad92b7a2

SHA1
ac521d25bb5b088f9e954fa82e07469b0c43aa2c

SHA256
0977c27bc8646cb53e199654f651a40ce4a5d973a3cf102f7abe68950765b0d0

SHA512
d7e24711b4cc2f99c5f7dc7e1a5a18e5caee0d390e5a1675d9f87b2666cc27007bd1a764c67b8c162611d1e57b5f5c8a70ba8be4e40e70e209f09c1c519f3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\IsConfig.ini

Filesize
167B

MD5
72c6f8ded560067c8619f17230a315b0

SHA1
7b188cb28c0e395f50c69a2d25305dfc20e3521d

SHA256
1c86f6e8b453b278e6fbfb35449baae81e38e0bee1bf9e2fa11ea8227cb90148

SHA512
9656dc4a72eeae47b6bb40aef2d194bc831d49fa2bc23e06e0e2332a12664a76c9817013550d4cfec99ca22e58ebefe4809026db3ff552b753fae62a6c0e3a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\_ISMSIDEL.INI

Filesize
272B

MD5
53396ced8e40f2c85f80b8e966c5d2e5

SHA1
e28b52c73779d4f603e2f5eff09619009b7f67bf

SHA256
2465febba6c1045243f33bbdde16ffd673c9ccaf1b3c3e1d73c2ec19a5064a8d

SHA512
8d0631ae8b941012c30e9ec96cefaeff499bc7eda0aa842e7d16e5881ac18fef10e98129279860f8ea9a390ff8bfaeea6a871b1057e57405a04569303026cc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\_ISMSIDEL.INI

Filesize
632B

MD5
b55bd35b7301ce2ee46e65d8836460e1

SHA1
5095597bb438c7dc5e1bff93386554143640da51

SHA256
b6c2dc1d67c8969295a27be998e6ca42b00e697a14f062fdaf73bb84721e6f2a

SHA512
6e0974d957e136fa7b04928aa1d8cd1afc5b375a4664e0f1cbdce1bc842222b26a95a1c55914da1aaafdc30b24d91cbe74f6abaa12ff938d11092541e940a4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISBEW64.exe

Filesize
198KB

MD5
28857f9a5dc8af367e533076267f5b4d

SHA1
ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa

SHA256
9523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee

SHA512
8989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\ISRT.dll

Filesize
1.1MB

MD5
ff43031211486580947f25f293b8125b

SHA1
31030ea85fce86a7679f80771838d58df631c28c

SHA256
423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0

SHA512
42196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\Software License Agreement_EN.rtf

Filesize
7KB

MD5
2d4eaea4d9b564964e5e4aea88d48555

SHA1
2cad664a938cdc69e0c6d741575e5819733fc374

SHA256
93494ec77002f73f074bceeb91be9c4f805c1c07852db14d37729d81e0deefd0

SHA512
4ef21301822b3146984f975943e39a7875281d14b5f14f10fb4051be818115a0d54d02876658d279b820e72720d48983214b37abf1d888ac254be7be5b98cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\_isres_0x0409.dll

Filesize
1.8MB

MD5
8afdae8fe83d1a813b54e48230aed2db

SHA1
ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c

SHA256
d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6

SHA512
fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA8BDC04-452C-4D7C-AE6F-B5B7A55F4CE8}\{E91F30AE}\_isuser_0x0409.dll

Filesize
597KB

MD5
fbd1e1fa1b151fed2dd2cc9de143463c

SHA1
8d82009784d7f10384e3af5b5708d3a530f4f5d9

SHA256
98a1e05526d9688c1e3fc8beb1bcff3bf7c2072f48b0c6386f2454bc18f81330

SHA512
d98acc69f8b575018bfb15d1bde42a8ae3e1b6316371e1f34b00d66bd314d07350b2c9b1e9b7c21a406a89de09ac08098129aeae1453e5307b03d0d338f57357

Download Submit
C:\Users\Admin\AppData\Local\Temp\~45B1.tmp

Filesize
6KB

MD5
d35bbcf352d975a778552c833d98939b

SHA1
d42f160a63deae6add1b0b55d687ddf25012ec72

SHA256
9f2d22e5387d4b0d45bff77c55a0e71a0ca82c5c1ed613489df143f09b7f54cc

SHA512
dac680936fac3f899bdb7f8676af8f9d708a4017c13f885ca9128e3a5b15e028f58421c147377fc132af1ac7fa84322597e1374f4ea538dd3a9fe350bc245b93

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.exe

Filesize
1.3MB

MD5
81bfed45ec6eb44dca9797e7b42fc449

SHA1
07d0f587f4c8cb8a8aa81fffc7cb44314514abc1

SHA256
5cbaabb43220546b55946f9cfca80016b58b780fa7f0eff7e7b0c69d7ae1c8fb

SHA512
c5ca735543cc2a4709398e0c955b32f9d88d73d29577817f7d9556f008a6f5b5bb4d99c2f698e6fd342453d741514eace38993258dfcc5c5b15d59d8a6d7050a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.ini

Filesize
5KB

MD5
a17b1c29e72519c7385a622578565e8f

SHA1
d7458fae32fa23ea7c278b9d80cab69aa5b352d5

SHA256
7bf944db58861318d198a6b6ebf1110c00ab93dcb52a7ec922ba393d7b0a6ca6

SHA512
4446371fe00f192aed8fb9f3de6618e6cee05e742be28e5ebf28226b1c0a92158bc07a55ff71620597607fb29e074e90874ee8c2d62b4b8092601400f965d6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll

Filesize
21KB

MD5
121dbf33b0d3bb167e3f8a9773633a3d

SHA1
b9fc193731c7d23ec400e4436525d9222a755c27

SHA256
4a45fa78482d181bf761a852de9b6386841b33cf5c9489c8e4796da4e06b8abf

SHA512
c17bdefe3b8f6922d20edfa4c61b16dbb472d15bc27c7edc3a68e4b5ddc1d4978badf9a7b88500b3ec359421a46a92d85b26c9eb0175a969f69c5048a7a01458

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe

Filesize
19.6MB

MD5
652f27cf21266d7786a8e1ccbe7299b2

SHA1
d8d1c2f147c1c1c6958b876570a5b94370c1edc1

SHA256
1e38d80c1aa39c72170562b76320d24dc194a940d5d7c7f0cc2f218b34a15f71

SHA512
c0ba371d230b217661afe4485750155218e053995ff6e1e09ab777c7121f0cd7307868caa988ac95e4a2e6d33afa52b82364732f25220cea8e0f2fbba2f07cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\VP8.dll

Filesize
447KB

MD5
2319331fd9f77352804c3faf6cd3ebae

SHA1
35757a3ac4c6af5e81357f18f04f9f01614a7dfe

SHA256
f20ae03124000f8f1c12dc94a90239c684d78c682245362a0f6db26acd3250fa

SHA512
75124f0bc0bc95b03d569a2832a5772df008f7872744c77e6b95a766d9dfa438f5d2f665cd052c797df03e521e820f16e19bfbf829b6d32d258acb139da18fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\opusGeneric.dll

Filesize
365KB

MD5
24fcbc8ad136be0c41d577b7e04f0c32

SHA1
7e8313c7f94f2814eae99afd2e538950771ba578

SHA256
2c40aa70e5db750a7da2dc22c4dc5d57f60be1df019268c5de2434909cce9820

SHA512
c5cbd352b524eb6b2ec6f032edc9ca0bd99a22902ea6e829b5cf6f20f1071886e750085142d94389b6cde09c3b429299d2aab81375278b6c24b4b59d3a6446a9

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\uninstall.ico

Filesize
24KB

MD5
279e6e80c39add675219c447f9c1f381

SHA1
8287588124e8f8a6c94435e44344e3ee7062c4be

SHA256
22af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527

SHA512
477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce

Download Submit
C:\Windows\Installer\MSI92F.tmp

Filesize
626KB

MD5
95bf357fe831c0a89c6a3e3044660e94

SHA1
fa10a0dc55062b5a102eed06344491dc4adbff61

SHA256
2d6216e7a67b854e2048d10d3bc49dca7bd9fe814516cf25ea4800fb3ddea483

SHA512
191cc3661bb9c8012f35e71211c84d3c81968154fff140b965e164549d15d2ba42a4f55f33feae32cc547df4e02c1e9d905552ace929739c0fea1d2a5d3aadcf

Download Submit
memory/1644-266-0x0000000006460000-0x0000000006627000-memory.dmp

Filesize
1.8MB

Download
memory/2708-533-0x0000000005EF0000-0x0000000005F46000-memory.dmp

Filesize
344KB

Download
memory/2708-559-0x00000000762E0000-0x0000000076561000-memory.dmp

Filesize
2.5MB

Download
memory/2708-513-0x00000000005E0000-0x0000000003295000-memory.dmp

Filesize
44.7MB

Download
memory/2708-517-0x00000000762E0000-0x0000000076561000-memory.dmp

Filesize
2.5MB

Download
memory/2708-518-0x00000000765C0000-0x00000000766A3000-memory.dmp

Filesize
908KB

Download
memory/2708-519-0x00000000005E0000-0x0000000003295000-memory.dmp

Filesize
44.7MB

Download
memory/2708-520-0x00000000005E0000-0x0000000003295000-memory.dmp

Filesize
44.7MB

Download
memory/2708-521-0x0000000074FF0000-0x0000000075079000-memory.dmp

Filesize
548KB

Download
memory/2708-522-0x0000000005860000-0x000000000588A000-memory.dmp

Filesize
168KB

Download
memory/2708-523-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/2708-524-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/2708-525-0x00000000059F0000-0x0000000005B2C000-memory.dmp

Filesize
1.2MB

Download
memory/2708-526-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/2708-527-0x0000000005940000-0x0000000005956000-memory.dmp

Filesize
88KB

Download
memory/2708-528-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/2708-529-0x0000000008EB0000-0x0000000008F42000-memory.dmp

Filesize
584KB

Download
memory/2708-530-0x0000000076BF0000-0x00000000771A3000-memory.dmp

Filesize
5.7MB

Download
memory/2708-515-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2708-532-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/2708-514-0x0000000003740000-0x0000000003787000-memory.dmp

Filesize
284KB

Download
memory/2708-534-0x0000000005980000-0x000000000598E000-memory.dmp

Filesize
56KB

Download
memory/2708-537-0x0000000009C30000-0x0000000009CFE000-memory.dmp

Filesize
824KB

Download
memory/2708-397-0x00000000005E0000-0x0000000003295000-memory.dmp

Filesize
44.7MB

Download
memory/2708-536-0x0000000009A90000-0x0000000009AF6000-memory.dmp

Filesize
408KB

Download
memory/2708-542-0x000000000A1A0000-0x000000000A1AA000-memory.dmp

Filesize
40KB

Download
memory/2708-543-0x000000000A1F0000-0x000000000A1FA000-memory.dmp

Filesize
40KB

Download
memory/2708-544-0x000000000A220000-0x000000000A332000-memory.dmp

Filesize
1.1MB

Download
memory/2708-545-0x000000000AF90000-0x000000000AFD4000-memory.dmp

Filesize
272KB

Download
memory/2708-546-0x000000000D190000-0x000000000D1B2000-memory.dmp

Filesize
136KB

Download
memory/2708-547-0x000000000D180000-0x000000000D18E000-memory.dmp

Filesize
56KB

Download
memory/2708-548-0x000000000D1E0000-0x000000000D228000-memory.dmp

Filesize
288KB

Download
memory/2708-549-0x000000006F190000-0x000000006F3A0000-memory.dmp

Filesize
2.1MB

Download
memory/2708-552-0x0000000076220000-0x0000000076244000-memory.dmp

Filesize
144KB

Download
memory/2708-551-0x0000000076970000-0x0000000076B85000-memory.dmp

Filesize
2.1MB

Download
memory/2708-554-0x00000000755E0000-0x000000007569F000-memory.dmp

Filesize
764KB

Download
memory/2708-557-0x0000000073C50000-0x0000000073CA2000-memory.dmp

Filesize
328KB

Download
memory/2708-553-0x00000000760C0000-0x000000007613B000-memory.dmp

Filesize
492KB

Download
memory/2708-516-0x0000000076970000-0x0000000076B85000-memory.dmp

Filesize
2.1MB

Download
memory/2708-558-0x0000000074CC0000-0x0000000074D34000-memory.dmp

Filesize
464KB

Download
memory/2708-555-0x0000000076160000-0x000000007621F000-memory.dmp

Filesize
764KB

Download
memory/2708-565-0x0000000074FD0000-0x0000000074FD8000-memory.dmp

Filesize
32KB

Download
memory/2708-567-0x0000000074A70000-0x0000000074A84000-memory.dmp

Filesize
80KB

Download
memory/2708-572-0x0000000074F30000-0x0000000074F42000-memory.dmp

Filesize
72KB

Download
memory/2708-575-0x0000000074D90000-0x0000000074E52000-memory.dmp

Filesize
776KB

Download
memory/2708-577-0x0000000076250000-0x0000000076256000-memory.dmp

Filesize
24KB

Download
memory/2708-579-0x000000006FD50000-0x00000000701A0000-memory.dmp

Filesize
4.3MB

Download
memory/2708-585-0x0000000073DB0000-0x0000000073DBB000-memory.dmp

Filesize
44KB

Download
memory/2708-587-0x000000006F3F0000-0x000000006F692000-memory.dmp

Filesize
2.6MB

Download
memory/2708-589-0x000000006EA50000-0x000000006ECC4000-memory.dmp

Filesize
2.5MB

Download
memory/2708-586-0x0000000075A20000-0x0000000075A67000-memory.dmp

Filesize
284KB

Download
memory/2708-600-0x00000000762E0000-0x0000000076561000-memory.dmp

Filesize
2.5MB

Download
memory/2708-604-0x0000000074A90000-0x0000000074B1D000-memory.dmp

Filesize
564KB

Download
memory/2708-598-0x0000000073C50000-0x0000000073CA2000-memory.dmp

Filesize
328KB

Download
memory/2708-595-0x00000000755E0000-0x000000007569F000-memory.dmp

Filesize
764KB

Download
memory/2708-584-0x0000000073CB0000-0x0000000073CCD000-memory.dmp

Filesize
116KB

Download
memory/2708-583-0x000000006F6A0000-0x000000006F848000-memory.dmp

Filesize
1.7MB

Download
memory/2708-582-0x0000000073DC0000-0x0000000073DCA000-memory.dmp

Filesize
40KB

Download
memory/2708-581-0x000000006FBE0000-0x000000006FD49000-memory.dmp

Filesize
1.4MB

Download
memory/2708-580-0x0000000073A20000-0x0000000073C4B000-memory.dmp

Filesize
2.2MB

Download
memory/2708-550-0x00000000005E0000-0x0000000003295000-memory.dmp

Filesize
44.7MB

Download
memory/2708-574-0x0000000075710000-0x000000007580A000-memory.dmp

Filesize
1000KB

Download
memory/2708-573-0x0000000075A70000-0x0000000075AD3000-memory.dmp

Filesize
396KB

Download
memory/2708-566-0x0000000071D30000-0x00000000724E0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-578-0x0000000074B20000-0x0000000074B41000-memory.dmp

Filesize
132KB

Download
memory/2708-576-0x0000000073F70000-0x0000000074075000-memory.dmp

Filesize
1.0MB

Download
memory/2708-571-0x0000000075C80000-0x0000000075C99000-memory.dmp

Filesize
100KB

Download
memory/2708-570-0x0000000074FF0000-0x0000000075079000-memory.dmp

Filesize
548KB

Download
memory/2708-569-0x00000000765C0000-0x00000000766A3000-memory.dmp

Filesize
908KB

Download
memory/2708-568-0x00000000749C0000-0x0000000074A6B000-memory.dmp

Filesize
684KB

Download
memory/2708-564-0x0000000073DA0000-0x0000000073DAF000-memory.dmp

Filesize
60KB

Download
memory/2708-563-0x0000000074A90000-0x0000000074B1D000-memory.dmp

Filesize
564KB

Download
memory/2708-562-0x0000000076570000-0x00000000765B5000-memory.dmp

Filesize
276KB

Download
memory/2708-561-0x0000000074FA0000-0x0000000074FC4000-memory.dmp

Filesize
144KB

Download
memory/2708-560-0x0000000075540000-0x00000000755D6000-memory.dmp

Filesize
600KB

Download
memory/2708-631-0x000000000D270000-0x000000000D2B6000-memory.dmp

Filesize
280KB

Download