asyncrat | 13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Size

3.5MB
MD5

3d65c83ef6cd531b1cea119ebaed6d4e
SHA1

dd34510ec94ccca3aad65d9956e62d99e214e9f8
SHA256

13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0
SHA512

a49634306f748433821dc246fe4624cb8f9ed1ba721ecb14ebddac9b13403d33cf58136bd2076d43abd40240166e96f91a14092b89fb962ab67fb69dd5711271
SSDEEP

98304:LVU8oNJUmv0ydoQK9q4YwjU4fyp/9EcdY11yyevzeXV:LVaOmiWV+11yyev

Score

10^/10

asyncrat defense_evasion discovery evasion persistence privilege_escalation rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
220	netsh.exe
264	netsh.exe
3744	netsh.exe
876	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	ExamShieldSetup.exe

Executes dropped EXE 13 IoCs

pid	Process
1664	ExamShieldSetup.exe
412	ExamShieldSetup.exe
2200	ISBEW64.exe
4376	ISBEW64.exe
2720	ISBEW64.exe
2140	ISBEW64.exe
1680	ISBEW64.exe
1612	ISBEW64.exe
464	ISBEW64.exe
4860	ISBEW64.exe
3304	ISBEW64.exe
2388	ISBEW64.exe
3328	ExamShield.exe

Loads dropped DLL 13 IoCs

pid	Process
412	ExamShieldSetup.exe
4920	MsiExec.exe
4920	MsiExec.exe
412	ExamShieldSetup.exe
412	ExamShieldSetup.exe
412	ExamShieldSetup.exe
412	ExamShieldSetup.exe
412	ExamShieldSetup.exe
1028	MsiExec.exe
1028	MsiExec.exe
1028	MsiExec.exe
1028	MsiExec.exe
3328	ExamShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	ExamShieldSetup.exe
File opened (read-only)	\??\W:	ExamShieldSetup.exe
File opened (read-only)	\??\Z:	ExamShieldSetup.exe
File opened (read-only)	\??\N:	ExamShieldSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	ExamShieldSetup.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	ExamShieldSetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	ExamShieldSetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	ExamShieldSetup.exe
File opened (read-only)	\??\M:	ExamShieldSetup.exe
File opened (read-only)	\??\Q:	ExamShieldSetup.exe
File opened (read-only)	\??\U:	ExamShieldSetup.exe
File opened (read-only)	\??\V:	ExamShieldSetup.exe
File opened (read-only)	\??\Y:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	ExamShieldSetup.exe
File opened (read-only)	\??\O:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	ExamShieldSetup.exe
File opened (read-only)	\??\J:	ExamShieldSetup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	ExamShieldSetup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	ExamShieldSetup.exe
File opened (read-only)	\??\K:	ExamShieldSetup.exe
File opened (read-only)	\??\S:	ExamShieldSetup.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3328	ExamShield.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e586ce0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CFF.tmp	msiexec.exe
File created	C:\Windows\Installer\e586cde.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7471.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A6E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e586cde.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExamShieldSetup.exe

System Network Connections Discovery 1 TTPs 28 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1848	cmd.exe
3932	NETSTAT.EXE
3868	cmd.exe
956	NETSTAT.EXE
3452	NETSTAT.EXE
4968	cmd.exe
264	NETSTAT.EXE
2440	cmd.exe
4592	cmd.exe
408	NETSTAT.EXE
2704	cmd.exe
3752	NETSTAT.EXE
872	cmd.exe
5080	NETSTAT.EXE
3752	NETSTAT.EXE
1224	cmd.exe
3540	cmd.exe
2388	NETSTAT.EXE
4408	cmd.exe
3508	cmd.exe
440	cmd.exe
972	NETSTAT.EXE
1284	NETSTAT.EXE
1044	cmd.exe
4064	NETSTAT.EXE
3116	NETSTAT.EXE
4816	NETSTAT.EXE
3556	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bd035b1dbd7192500000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bd035b1d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bd035b1d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbd035b1d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bd035b1d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Gathers network information 2 TTPs 14 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
956	NETSTAT.EXE
3116	NETSTAT.EXE
3932	NETSTAT.EXE
5080	NETSTAT.EXE
3452	NETSTAT.EXE
4816	NETSTAT.EXE
2388	NETSTAT.EXE
972	NETSTAT.EXE
3752	NETSTAT.EXE
408	NETSTAT.EXE
1284	NETSTAT.EXE
3752	NETSTAT.EXE
264	NETSTAT.EXE
4064	NETSTAT.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\DefaultIcon\ = "examshield.exe,1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell\open\command\	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell	ExamShieldSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Peoplecert\\ExamShield\\Examshield.exe %1"	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\ = "URL:examshield"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell\open	ExamShieldSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\examshield\shell\open\command	ExamShieldSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ExamShieldSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ExamShieldSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
412	ExamShieldSetup.exe
412	ExamShieldSetup.exe
3500	msiexec.exe
3500	msiexec.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe
3328	ExamShield.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3500	msiexec.exe
Token: SeCreateTokenPrivilege	412	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	412	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	412	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	412	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	412	ExamShieldSetup.exe
Token: SeTcbPrivilege	412	ExamShieldSetup.exe
Token: SeSecurityPrivilege	412	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	412	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	412	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	412	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	412	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	412	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	412	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	412	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	412	ExamShieldSetup.exe
Token: SeBackupPrivilege	412	ExamShieldSetup.exe
Token: SeRestorePrivilege	412	ExamShieldSetup.exe
Token: SeShutdownPrivilege	412	ExamShieldSetup.exe
Token: SeDebugPrivilege	412	ExamShieldSetup.exe
Token: SeAuditPrivilege	412	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	412	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	412	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	412	ExamShieldSetup.exe
Token: SeUndockPrivilege	412	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	412	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	412	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	412	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	412	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	412	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	412	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	412	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	412	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	412	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	412	ExamShieldSetup.exe
Token: SeTcbPrivilege	412	ExamShieldSetup.exe
Token: SeSecurityPrivilege	412	ExamShieldSetup.exe
Token: SeTakeOwnershipPrivilege	412	ExamShieldSetup.exe
Token: SeLoadDriverPrivilege	412	ExamShieldSetup.exe
Token: SeSystemProfilePrivilege	412	ExamShieldSetup.exe
Token: SeSystemtimePrivilege	412	ExamShieldSetup.exe
Token: SeProfSingleProcessPrivilege	412	ExamShieldSetup.exe
Token: SeIncBasePriorityPrivilege	412	ExamShieldSetup.exe
Token: SeCreatePagefilePrivilege	412	ExamShieldSetup.exe
Token: SeCreatePermanentPrivilege	412	ExamShieldSetup.exe
Token: SeBackupPrivilege	412	ExamShieldSetup.exe
Token: SeRestorePrivilege	412	ExamShieldSetup.exe
Token: SeShutdownPrivilege	412	ExamShieldSetup.exe
Token: SeDebugPrivilege	412	ExamShieldSetup.exe
Token: SeAuditPrivilege	412	ExamShieldSetup.exe
Token: SeSystemEnvironmentPrivilege	412	ExamShieldSetup.exe
Token: SeChangeNotifyPrivilege	412	ExamShieldSetup.exe
Token: SeRemoteShutdownPrivilege	412	ExamShieldSetup.exe
Token: SeUndockPrivilege	412	ExamShieldSetup.exe
Token: SeSyncAgentPrivilege	412	ExamShieldSetup.exe
Token: SeEnableDelegationPrivilege	412	ExamShieldSetup.exe
Token: SeManageVolumePrivilege	412	ExamShieldSetup.exe
Token: SeImpersonatePrivilege	412	ExamShieldSetup.exe
Token: SeCreateGlobalPrivilege	412	ExamShieldSetup.exe
Token: SeCreateTokenPrivilege	412	ExamShieldSetup.exe
Token: SeAssignPrimaryTokenPrivilege	412	ExamShieldSetup.exe
Token: SeLockMemoryPrivilege	412	ExamShieldSetup.exe
Token: SeIncreaseQuotaPrivilege	412	ExamShieldSetup.exe
Token: SeMachineAccountPrivilege	412	ExamShieldSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5104	msiexec.exe
5104	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1364	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
1364	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
1364	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1664	1364	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	94
PID 1364 wrote to memory of 1664	1364	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	94
PID 1364 wrote to memory of 1664	1364	13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe	94
PID 1664 wrote to memory of 412	1664	ExamShieldSetup.exe	95
PID 1664 wrote to memory of 412	1664	ExamShieldSetup.exe	95
PID 1664 wrote to memory of 412	1664	ExamShieldSetup.exe	95
PID 3500 wrote to memory of 4920	3500	msiexec.exe	99
PID 3500 wrote to memory of 4920	3500	msiexec.exe	99
PID 3500 wrote to memory of 4920	3500	msiexec.exe	99
PID 412 wrote to memory of 2200	412	ExamShieldSetup.exe	100
PID 412 wrote to memory of 2200	412	ExamShieldSetup.exe	100
PID 412 wrote to memory of 4376	412	ExamShieldSetup.exe	101
PID 412 wrote to memory of 4376	412	ExamShieldSetup.exe	101
PID 412 wrote to memory of 2720	412	ExamShieldSetup.exe	102
PID 412 wrote to memory of 2720	412	ExamShieldSetup.exe	102
PID 412 wrote to memory of 2140	412	ExamShieldSetup.exe	103
PID 412 wrote to memory of 2140	412	ExamShieldSetup.exe	103
PID 412 wrote to memory of 1680	412	ExamShieldSetup.exe	104
PID 412 wrote to memory of 1680	412	ExamShieldSetup.exe	104
PID 412 wrote to memory of 1612	412	ExamShieldSetup.exe	105
PID 412 wrote to memory of 1612	412	ExamShieldSetup.exe	105
PID 412 wrote to memory of 464	412	ExamShieldSetup.exe	106
PID 412 wrote to memory of 464	412	ExamShieldSetup.exe	106
PID 412 wrote to memory of 4860	412	ExamShieldSetup.exe	107
PID 412 wrote to memory of 4860	412	ExamShieldSetup.exe	107
PID 412 wrote to memory of 3304	412	ExamShieldSetup.exe	108
PID 412 wrote to memory of 3304	412	ExamShieldSetup.exe	108
PID 412 wrote to memory of 2388	412	ExamShieldSetup.exe	109
PID 412 wrote to memory of 2388	412	ExamShieldSetup.exe	109
PID 412 wrote to memory of 5104	412	ExamShieldSetup.exe	110
PID 412 wrote to memory of 5104	412	ExamShieldSetup.exe	110
PID 412 wrote to memory of 5104	412	ExamShieldSetup.exe	110
PID 3500 wrote to memory of 1028	3500	msiexec.exe	119
PID 3500 wrote to memory of 1028	3500	msiexec.exe	119
PID 3500 wrote to memory of 1028	3500	msiexec.exe	119
PID 412 wrote to memory of 2032	412	ExamShieldSetup.exe	121
PID 412 wrote to memory of 2032	412	ExamShieldSetup.exe	121
PID 412 wrote to memory of 2032	412	ExamShieldSetup.exe	121
PID 2032 wrote to memory of 220	2032	cmd.exe	123
PID 2032 wrote to memory of 220	2032	cmd.exe	123
PID 2032 wrote to memory of 220	2032	cmd.exe	123
PID 412 wrote to memory of 4044	412	ExamShieldSetup.exe	124
PID 412 wrote to memory of 4044	412	ExamShieldSetup.exe	124
PID 412 wrote to memory of 4044	412	ExamShieldSetup.exe	124
PID 4044 wrote to memory of 264	4044	cmd.exe	126
PID 4044 wrote to memory of 264	4044	cmd.exe	126
PID 4044 wrote to memory of 264	4044	cmd.exe	126
PID 412 wrote to memory of 3608	412	ExamShieldSetup.exe	127
PID 412 wrote to memory of 3608	412	ExamShieldSetup.exe	127
PID 412 wrote to memory of 3608	412	ExamShieldSetup.exe	127
PID 3608 wrote to memory of 3744	3608	cmd.exe	129
PID 3608 wrote to memory of 3744	3608	cmd.exe	129
PID 3608 wrote to memory of 3744	3608	cmd.exe	129
PID 412 wrote to memory of 3912	412	ExamShieldSetup.exe	130
PID 412 wrote to memory of 3912	412	ExamShieldSetup.exe	130
PID 412 wrote to memory of 3912	412	ExamShieldSetup.exe	130
PID 3912 wrote to memory of 876	3912	cmd.exe	132
PID 3912 wrote to memory of 876	3912	cmd.exe	132
PID 3912 wrote to memory of 876	3912	cmd.exe	132
PID 412 wrote to memory of 3328	412	ExamShieldSetup.exe	133
PID 412 wrote to memory of 3328	412	ExamShieldSetup.exe	133
PID 412 wrote to memory of 3328	412	ExamShieldSetup.exe	133
PID 412 wrote to memory of 64	412	ExamShieldSetup.exe	135
PID 412 wrote to memory of 64	412	ExamShieldSetup.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe
"C:\Users\Admin\AppData\Local\Temp\13af5dce278866f04c1b7c929b97010c9b057ca7201cde2c983a6a12c196dcb0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe
  "C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /z" LAUNCHEXAMSHIELD"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\ExamShieldSetup.exe
    C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\ExamShieldSetup.exe /q"C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}" /z" LAUNCHEXAMSHIELD" /IS_temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36F62C35-BCFF-41FC-8D55-D100B5C1A6B6}
      4⤵
      Executes dropped EXE
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51517623-A747-4821-8658-00C5AF7EF707}
      4⤵
      Executes dropped EXE
      PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8CDB1CFB-B492-445B-84C6-A2E258D24F58}
      4⤵
      Executes dropped EXE
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1174D415-EEE8-4592-B1F3-40F75E10A0EC}
      4⤵
      Executes dropped EXE
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08BC8995-0EC3-4535-8828-106169842422}
      4⤵
      Executes dropped EXE
      PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D56F53FE-309B-4ABE-AEB6-689CD5C89BF3}
      4⤵
      Executes dropped EXE
      PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB7D2270-9D7F-4DBC-BDD6-B9414295BA28}
      4⤵
      Executes dropped EXE
      PID:464
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E03E0A16-F95A-42B9-AC12-F0F72A8D6FAE}
      4⤵
      Executes dropped EXE
      PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2BF12A45-724C-47FC-8332-872FA01AC5E7}
      4⤵
      Executes dropped EXE
      PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B6E530F-4EB6-412F-873C-9B8DB7AAA83B}
      4⤵
      Executes dropped EXE
      PID:2388
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /x "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\M2M_Candidate_Install.msi" /qb-
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="IN"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "IN" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="IN" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallOUT.txt""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall show rule name="Exam Shield" direction="OUT"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat" "Exam Shield" "OUT" "C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Exam Shield" direction="OUT" action=allow program="C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:876
  - - C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2704
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:956
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3868
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3752
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1224
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:972
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:872
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3116
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3540
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3452
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1848
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:264
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:2440
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4816
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3556
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2388
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4592
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3752
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4968
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:408
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:4408
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1284
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:1044
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4064
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:3508
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3932
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C netstat -ano
        5⤵
        System Network Connections Discovery
        
        PID:440
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}"
      4⤵
      System Location Discovery: System Language Discovery
      PID:64

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B157DA11F3CD005A90137ED012AA191C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 311D7B8AD53E1EEF546CF88D8E39CE89
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1700

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586cdf.rbs

Filesize
13KB

MD5
52c1bf704c0ecc49f7baa912ca331504

SHA1
82bee6b03c1d39b024b793c410d0ef9bb71b5bdc

SHA256
2e3e637519ad536f8f8eb97b343854613b501b48bbe6054eadcbe21d91607541

SHA512
13e491c96337815e93a5e978a8560ebcd1c758b7721b720dc12f20d8ba28e22e4eaf474f00f9688ffd2164f84849a6d5359ada3395c85ea0f20bc15cfee4239f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4f4adc1c1ca88ff7e8c36d133a8ecda0

SHA1
72786dcd1d303cd9470a24e45c49c8be0eca64ed

SHA256
df376680485b5fb1b67534fa2d2873d89c6aa73270d1401e2c70eda139cbb13a

SHA512
ee5744f70ae12619dd93fb7463036953a29a34eb5584083c816be789a571a2848ed8ac1320410b0bf1ae7aeac9e3527ca8a27ff314adb1cfa59c6a9cad339024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
727B

MD5
dae180b82a0d9c10059486fcda17b928

SHA1
47c737e246fe7f24661b9c4a5a9d2fb2c118d8e0

SHA256
e7bc0fc27e7b89e1ee0038b9a2b35e2261798749dc86cf09e9000677429f3329

SHA512
cf97e849bf4858864bdd1d7277105ed762bc5cb17da3775a71652c2b61803a518ab5476f5a2d152739d3e7055ae6ac28d0ec5574d765bc595c907db6b0b75121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
16aca8f094a2ff8d3583c5ffa6794c13

SHA1
ddc31408896006459d03b4ca884c16f1b5ea75c1

SHA256
18bcf914006e1367c2f1dfe94b5bcc497a0c731f95a546c8a7742df4cf4a99ff

SHA512
42b0f7d4d8e7f2dd54f26945467a73c1bb02a1dbdd6b975d389fc96a263e7c944ca443baca215fd6a1bb1d2b81d3cff8295cdd9bd5050291303a4ed2dff09a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
8cdd023a648abc7c1d8a12dc36c1dbcf

SHA1
1f4c3f5e4e5f43d3caf6324cf445d8d00eac661e

SHA256
f1d85d37a56aba936de510386146b0fd79e732b6349052fdc0975b9457bfe584

SHA512
0b77a8f4dff1452a014cf183afe2ce06a70b7697ad027b8d327640f35f1c34dc4a86be48918f7f7314ea86f9274cc0c8366c48b8d72b7119d41349184fbd7085

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F2D29F1FC788F9D03B93773228972B1E

Filesize
408B

MD5
01672bc6624a31751ee71dba00a5f98f

SHA1
da2da3c9404c6bb0520585c5d6c349a5010dd658

SHA256
7e44d4882686868f73c2a292d079296a413c8cba4210ecd9c930f594674c37ca

SHA512
af13c9331a6efe40037d20d668a78d73c8b35dc5e94abcca3d51610c572f00d7fe332e1bdff04de1f29b271b4f212a5d34230159c630ea365ba761fe3fd601c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
c611607f7e30eb66a9bbf4424eabf7e9

SHA1
4f64e6275c1a3327e169071ae090a40bd2c54741

SHA256
e803ef832565958466e4ea255d94c77b5dcfe47300b4800995b5360860c5c287

SHA512
74b5498f17a1aba6075c9b650bba735951c639993e92c4a266e894b96183e91270330249fc93e9c1f5703d6e828b5232048bffbce0b889ea0711d30315bf08ef

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldParams.dat

Filesize
9B

MD5
9bab2b4c50d8359fc53c582d09ca21df

SHA1
9b2473d04fc51348aa20d1fedf5e629c43a0ada9

SHA256
9dbf8057012e99a692df37f984b92232c1aeee59ba9576be9f440d2ae0bef774

SHA512
c989409cb5c9fd74b66ec0a6c2d2a0f1166c2f7e379794bc7511119c53388baf60e37ef0b0f8f3b854283f832fc91147b63da46eb3cef22bc394946e34943a12

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\ExamShieldSetup.exe

Filesize
41.8MB

MD5
95846ce7c1cb570ef1ba75cfe7e4ed90

SHA1
f8488ddd1fc199cd2182e64b1e7c828c85c39426

SHA256
448cd7978f7b8bcc3ffd6049a9861f70f9167b4ec710d0722eb4910bcc043f9c

SHA512
82130cd5e395dfe50406c8f377b3d59e6937e185c19ddc0aa2fa1f30b65f9982f4545263b8e14afc36bc1fef76af0b3d48830ee79c8476c23179cb61c17ad81f

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshAddFirewallRule.bat

Filesize
103B

MD5
ca0a346e58cc7f177fe9ab3a7abaff46

SHA1
0f5ed1b10b848731b7a7e19ac799b46c7eaaec44

SHA256
f3e8917bf8faf2814283519a4d1049fb8dca73df7bf5b5b55b22d4fef4df2011

SHA512
858959a5863f4af7a27891f77f3827c45e3431a9b731589ad186d3668e3866865e29132289f93f116777c03b6e96a78229ed9bea609a3b32a35a8d8801192417

Download Submit
C:\Users\Admin\AppData\Local\Exam Shield\NetshShowFirewallRule.bat

Filesize
73B

MD5
10db042a6c5c43a13106a70f42c9eae0

SHA1
6351e3ded2ce5f2ca018c1d0d04fe40f0124d4f9

SHA256
34b4b9034991ccaa4d1b5648b6f352bf9fc00ab162b4fbb1e11a9f3f64838b74

SHA512
d92185e5e9d7c555006c27bb0eb94a2181ca64aefe2b6f02bfc914829fb618b29071aabec5c67c06ccc7b91a75ded50c1bbdcbc0a2f840bed7589ba924b89357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\46AEF975D9B71ABDB2DF1AA71047AA09\32\webview2loader.dll

Filesize
104KB

MD5
9a5b63400b8f9758469627bbda1adad2

SHA1
4e14ff901760ac79879bd2a9d0f16e36999025fd

SHA256
464c49461f856c6d4ea995122e47825e7b600b88ff78c0592f56599cabd58084

SHA512
4108062abfbea5dd58e07e3dd504b23475bf098227fef50b9e849a747abd7acbff07669ef628d6937d118d3d379656c8145e0d726a52ecc2b12ec7a698e61014

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExamShieldFirewallIN.txt

Filesize
44B

MD5
656d246c6ce9a47f07ec793b6bb27f07

SHA1
0c098838274f64dbb02500a68b855e6703dddaf1

SHA256
77429fff9c65f96bc190c4c14916423f0196a2a570970a095285364743172af4

SHA512
9e47c89948cf63770f5e59b793b8625364c9f9b679b80b9cd821abc9866c0bc23608aeee9794ac45e547ff11bbd47da7bda640d72218507ee2fa9382a9419476

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI284D.tmp

Filesize
832KB

MD5
913b6675436bf50376f6a56a396e18d2

SHA1
d3298e7c8165bdb6e175031e028f5a146bda7806

SHA256
74248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7

SHA512
281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isF909..dll

Filesize
2.5MB

MD5
776275f6e820cef1544c4b4d108a2fd2

SHA1
df9772159cc04e842636628c0a8e1029ce771cc8

SHA256
580467f266bd2e7c69a6ee288bcad2a1c843b4a0571a0df68ad2c15a4cfed691

SHA512
869d2caa001f965cf399ad9a2bdf4b9103fd6d9a697bec263efd2f02a78dcb9a328a4e295f025c549c72bbc258e790f7c139eeb49f0d6911ea25d31601b42f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss18CB.tmp

Filesize
3.6MB

MD5
19470ab0e93ab0d702a8a6f7dec58aa7

SHA1
f1a85c2a7c8d49e14462bb8018ed6c664a3c515b

SHA256
5d55eabb4dc87f64861d6d226decb113bdd3c2af7ff8a11b81ab111191ea65a6

SHA512
4fdad6c9082a8bf1eacc5b2a68423d502212067bef094862c08f130b296f7f7155607cf21286dd9f8d5da544c69dcf842f7eb1ed65f3b9ffbf608e68581d52aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\0x0409.ini

Filesize
22KB

MD5
1196f20ca8bcaa637625e6a061d74c9e

SHA1
d0946b58676c9c6e57645dbcffc92c61eca3b274

SHA256
cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29

SHA512
75e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\ExamShield.msi

Filesize
28.6MB

MD5
56cdf21489801ecbffa8b284ad92b7a2

SHA1
ac521d25bb5b088f9e954fa82e07469b0c43aa2c

SHA256
0977c27bc8646cb53e199654f651a40ce4a5d973a3cf102f7abe68950765b0d0

SHA512
d7e24711b4cc2f99c5f7dc7e1a5a18e5caee0d390e5a1675d9f87b2666cc27007bd1a764c67b8c162611d1e57b5f5c8a70ba8be4e40e70e209f09c1c519f3760

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\IsConfig.ini

Filesize
167B

MD5
72c6f8ded560067c8619f17230a315b0

SHA1
7b188cb28c0e395f50c69a2d25305dfc20e3521d

SHA256
1c86f6e8b453b278e6fbfb35449baae81e38e0bee1bf9e2fa11ea8227cb90148

SHA512
9656dc4a72eeae47b6bb40aef2d194bc831d49fa2bc23e06e0e2332a12664a76c9817013550d4cfec99ca22e58ebefe4809026db3ff552b753fae62a6c0e3a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\_ISMSIDEL.INI

Filesize
632B

MD5
05f8f19f0268b05825676bb527a0cb76

SHA1
b8b543070b60e5e588f06e3213a8146da2629263

SHA256
0d6e24449ae0c1d9d643c8894df81b0854e4b89ad26fdaf84f23c9e04d2181fe

SHA512
8da04eed05fd3ad70563becc3bbbd207ca9daee230cbb0392adc0c04b3025da16981373d314246f6fdc5c1ed6db2b5b418cc7e43ee7a71073c5e234f45e10b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\_ISMSIDEL.INI

Filesize
272B

MD5
1eeced9390611276b43b4630cb22febb

SHA1
ed777906ccd7a3838d2c31b74eac505b9222ad50

SHA256
e2a0bbbab408ed1e394b3c0cbeec0f8dc08c1816304d20a21fdb58cfad761686

SHA512
64f7ab55f35d01429136856d4a0e0c00d1fd4c2f4446c88c5d3e711104817596cf9f224fdebdbdbd57b1ee3cd395a4377149bf80773f9123f0510b4506ec2677

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISBEW64.exe

Filesize
198KB

MD5
28857f9a5dc8af367e533076267f5b4d

SHA1
ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa

SHA256
9523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee

SHA512
8989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\ISRT.dll

Filesize
1.1MB

MD5
ff43031211486580947f25f293b8125b

SHA1
31030ea85fce86a7679f80771838d58df631c28c

SHA256
423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0

SHA512
42196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\Software License Agreement_EN.rtf

Filesize
7KB

MD5
2d4eaea4d9b564964e5e4aea88d48555

SHA1
2cad664a938cdc69e0c6d741575e5819733fc374

SHA256
93494ec77002f73f074bceeb91be9c4f805c1c07852db14d37729d81e0deefd0

SHA512
4ef21301822b3146984f975943e39a7875281d14b5f14f10fb4051be818115a0d54d02876658d279b820e72720d48983214b37abf1d888ac254be7be5b98cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\_isres_0x0409.dll

Filesize
1.8MB

MD5
8afdae8fe83d1a813b54e48230aed2db

SHA1
ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c

SHA256
d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6

SHA512
fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D2BE42A-F4AD-4AB4-8E1C-5899E52F201F}\{E91F30AE}\_isuser_0x0409.dll

Filesize
597KB

MD5
fbd1e1fa1b151fed2dd2cc9de143463c

SHA1
8d82009784d7f10384e3af5b5708d3a530f4f5d9

SHA256
98a1e05526d9688c1e3fc8beb1bcff3bf7c2072f48b0c6386f2454bc18f81330

SHA512
d98acc69f8b575018bfb15d1bde42a8ae3e1b6316371e1f34b00d66bd314d07350b2c9b1e9b7c21a406a89de09ac08098129aeae1453e5307b03d0d338f57357

Download Submit
C:\Users\Admin\AppData\Local\Temp\~EC65.tmp

Filesize
6KB

MD5
d35bbcf352d975a778552c833d98939b

SHA1
d42f160a63deae6add1b0b55d687ddf25012ec72

SHA256
9f2d22e5387d4b0d45bff77c55a0e71a0ca82c5c1ed613489df143f09b7f54cc

SHA512
dac680936fac3f899bdb7f8676af8f9d708a4017c13f885ca9128e3a5b15e028f58421c147377fc132af1ac7fa84322597e1374f4ea538dd3a9fe350bc245b93

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.exe

Filesize
1.3MB

MD5
81bfed45ec6eb44dca9797e7b42fc449

SHA1
07d0f587f4c8cb8a8aa81fffc7cb44314514abc1

SHA256
5cbaabb43220546b55946f9cfca80016b58b780fa7f0eff7e7b0c69d7ae1c8fb

SHA512
c5ca735543cc2a4709398e0c955b32f9d88d73d29577817f7d9556f008a6f5b5bb4d99c2f698e6fd342453d741514eace38993258dfcc5c5b15d59d8a6d7050a

Download Submit
C:\Users\Admin\AppData\Roaming\InstallShield Installation Information\{7F0D7EF7-0EDF-4F49-9B13-893595BB70CB}\setup.ini

Filesize
5KB

MD5
a17b1c29e72519c7385a622578565e8f

SHA1
d7458fae32fa23ea7c278b9d80cab69aa5b352d5

SHA256
7bf944db58861318d198a6b6ebf1110c00ab93dcb52a7ec922ba393d7b0a6ca6

SHA512
4446371fe00f192aed8fb9f3de6618e6cee05e742be28e5ebf28226b1c0a92158bc07a55ff71620597607fb29e074e90874ee8c2d62b4b8092601400f965d6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\Detect.dll

Filesize
21KB

MD5
121dbf33b0d3bb167e3f8a9773633a3d

SHA1
b9fc193731c7d23ec400e4436525d9222a755c27

SHA256
4a45fa78482d181bf761a852de9b6386841b33cf5c9489c8e4796da4e06b8abf

SHA512
c17bdefe3b8f6922d20edfa4c61b16dbb472d15bc27c7edc3a68e4b5ddc1d4978badf9a7b88500b3ec359421a46a92d85b26c9eb0175a969f69c5048a7a01458

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\ExamShield.exe

Filesize
19.6MB

MD5
652f27cf21266d7786a8e1ccbe7299b2

SHA1
d8d1c2f147c1c1c6958b876570a5b94370c1edc1

SHA256
1e38d80c1aa39c72170562b76320d24dc194a940d5d7c7f0cc2f218b34a15f71

SHA512
c0ba371d230b217661afe4485750155218e053995ff6e1e09ab777c7121f0cd7307868caa988ac95e4a2e6d33afa52b82364732f25220cea8e0f2fbba2f07cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\VP8.dll

Filesize
447KB

MD5
2319331fd9f77352804c3faf6cd3ebae

SHA1
35757a3ac4c6af5e81357f18f04f9f01614a7dfe

SHA256
f20ae03124000f8f1c12dc94a90239c684d78c682245362a0f6db26acd3250fa

SHA512
75124f0bc0bc95b03d569a2832a5772df008f7872744c77e6b95a766d9dfa438f5d2f665cd052c797df03e521e820f16e19bfbf829b6d32d258acb139da18fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\opusGeneric.dll

Filesize
365KB

MD5
24fcbc8ad136be0c41d577b7e04f0c32

SHA1
7e8313c7f94f2814eae99afd2e538950771ba578

SHA256
2c40aa70e5db750a7da2dc22c4dc5d57f60be1df019268c5de2434909cce9820

SHA512
c5cbd352b524eb6b2ec6f032edc9ca0bd99a22902ea6e829b5cf6f20f1071886e750085142d94389b6cde09c3b429299d2aab81375278b6c24b4b59d3a6446a9

Download Submit
C:\Users\Admin\AppData\Roaming\Peoplecert\ExamShield\uninstall.ico

Filesize
24KB

MD5
279e6e80c39add675219c447f9c1f381

SHA1
8287588124e8f8a6c94435e44344e3ee7062c4be

SHA256
22af06e0e900a6c7c337b91bb915e97d8ab8dd51cce839e68d18698a06d76527

SHA512
477a603b71017ee41a9e04693ccc7fd136f9311fb8f2e882792c2312934da48bbe0dbe521a3b0e27ed63f3197c05ed8df5967563dc7facee622341b6e33dd1ce

Download Submit
C:\Windows\Installer\MSI7471.tmp

Filesize
626KB

MD5
95bf357fe831c0a89c6a3e3044660e94

SHA1
fa10a0dc55062b5a102eed06344491dc4adbff61

SHA256
2d6216e7a67b854e2048d10d3bc49dca7bd9fe814516cf25ea4800fb3ddea483

SHA512
191cc3661bb9c8012f35e71211c84d3c81968154fff140b965e164549d15d2ba42a4f55f33feae32cc547df4e02c1e9d905552ace929739c0fea1d2a5d3aadcf

Download Submit
memory/412-266-0x00000000064F0000-0x00000000066B7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-535-0x0000000005FC0000-0x0000000005FCE000-memory.dmp

Filesize
56KB

Download
memory/3328-572-0x0000000076620000-0x0000000076626000-memory.dmp

Filesize
24KB

Download
memory/3328-518-0x00000000779D0000-0x0000000077C51000-memory.dmp

Filesize
2.5MB

Download
memory/3328-514-0x0000000000780000-0x0000000003435000-memory.dmp

Filesize
44.7MB

Download
memory/3328-519-0x0000000075F00000-0x0000000075FE3000-memory.dmp

Filesize
908KB

Download
memory/3328-520-0x0000000000780000-0x0000000003435000-memory.dmp

Filesize
44.7MB

Download
memory/3328-521-0x0000000000780000-0x0000000003435000-memory.dmp

Filesize
44.7MB

Download
memory/3328-522-0x0000000075AA0000-0x0000000075B29000-memory.dmp

Filesize
548KB

Download
memory/3328-524-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/3328-523-0x0000000005A00000-0x0000000005A2A000-memory.dmp

Filesize
168KB

Download
memory/3328-525-0x0000000006040000-0x00000000065E4000-memory.dmp

Filesize
5.6MB

Download
memory/3328-526-0x0000000005A90000-0x0000000005BCC000-memory.dmp

Filesize
1.2MB

Download
memory/3328-527-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/3328-528-0x0000000005F80000-0x0000000005F96000-memory.dmp

Filesize
88KB

Download
memory/3328-529-0x0000000006010000-0x0000000006022000-memory.dmp

Filesize
72KB

Download
memory/3328-530-0x0000000006790000-0x0000000006822000-memory.dmp

Filesize
584KB

Download
memory/3328-531-0x0000000076FB0000-0x0000000077563000-memory.dmp

Filesize
5.7MB

Download
memory/3328-534-0x0000000006650000-0x00000000066A6000-memory.dmp

Filesize
344KB

Download
memory/3328-533-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/3328-516-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/3328-515-0x0000000003900000-0x0000000003947000-memory.dmp

Filesize
284KB

Download
memory/3328-537-0x0000000009F00000-0x0000000009F66000-memory.dmp

Filesize
408KB

Download
memory/3328-538-0x0000000009F70000-0x000000000A03E000-memory.dmp

Filesize
824KB

Download
memory/3328-398-0x0000000000780000-0x0000000003435000-memory.dmp

Filesize
44.7MB

Download
memory/3328-548-0x0000000076E70000-0x0000000076F2F000-memory.dmp

Filesize
764KB

Download
memory/3328-547-0x00000000777A0000-0x000000007785F000-memory.dmp

Filesize
764KB

Download
memory/3328-556-0x0000000076190000-0x00000000761D5000-memory.dmp

Filesize
276KB

Download
memory/3328-557-0x0000000075540000-0x00000000755CD000-memory.dmp

Filesize
564KB

Download
memory/3328-560-0x0000000075A80000-0x0000000075A88000-memory.dmp

Filesize
32KB

Download
memory/3328-559-0x0000000074850000-0x000000007485F000-memory.dmp

Filesize
60KB

Download
memory/3328-558-0x000000000A560000-0x000000000A56A000-memory.dmp

Filesize
40KB

Download
memory/3328-552-0x00000000779D0000-0x0000000077C51000-memory.dmp

Filesize
2.5MB

Download
memory/3328-553-0x000000000A510000-0x000000000A51A000-memory.dmp

Filesize
40KB

Download
memory/3328-551-0x0000000075770000-0x00000000757E4000-memory.dmp

Filesize
464KB

Download
memory/3328-550-0x00000000746E0000-0x0000000074732000-memory.dmp

Filesize
328KB

Download
memory/3328-555-0x0000000075A50000-0x0000000075A74000-memory.dmp

Filesize
144KB

Download
memory/3328-554-0x0000000075E60000-0x0000000075EF6000-memory.dmp

Filesize
600KB

Download
memory/3328-546-0x0000000076F30000-0x0000000076FAB000-memory.dmp

Filesize
492KB

Download
memory/3328-562-0x000000000A590000-0x000000000A6A2000-memory.dmp

Filesize
1.1MB

Download
memory/3328-517-0x00000000769E0000-0x0000000076BF5000-memory.dmp

Filesize
2.1MB

Download
memory/3328-570-0x00000000775F0000-0x00000000776EA000-memory.dmp

Filesize
1000KB

Download
memory/3328-574-0x00000000755D0000-0x00000000755F1000-memory.dmp

Filesize
132KB

Download
memory/3328-573-0x0000000070800000-0x0000000070C50000-memory.dmp

Filesize
4.3MB

Download
memory/3328-575-0x000000000A950000-0x000000000A994000-memory.dmp

Filesize
272KB

Download
memory/3328-571-0x0000000074A20000-0x0000000074B25000-memory.dmp

Filesize
1.0MB

Download
memory/3328-569-0x0000000075FF0000-0x0000000076053000-memory.dmp

Filesize
396KB

Download
memory/3328-568-0x00000000759E0000-0x00000000759F2000-memory.dmp

Filesize
72KB

Download
memory/3328-567-0x00000000760F0000-0x0000000076109000-memory.dmp

Filesize
100KB

Download
memory/3328-566-0x0000000075AA0000-0x0000000075B29000-memory.dmp

Filesize
548KB

Download
memory/3328-564-0x0000000075470000-0x000000007551B000-memory.dmp

Filesize
684KB

Download
memory/3328-563-0x0000000075520000-0x0000000075534000-memory.dmp

Filesize
80KB

Download
memory/3328-561-0x00000000727E0000-0x0000000072F90000-memory.dmp

Filesize
7.7MB

Download
memory/3328-543-0x0000000000780000-0x0000000003435000-memory.dmp

Filesize
44.7MB

Download
memory/3328-545-0x00000000769B0000-0x00000000769D4000-memory.dmp

Filesize
144KB

Download
memory/3328-544-0x00000000769E0000-0x0000000076BF5000-memory.dmp

Filesize
2.1MB

Download
memory/3328-578-0x000000000DD30000-0x000000000DD78000-memory.dmp

Filesize
288KB

Download
memory/3328-577-0x000000000D4C0000-0x000000000D4CE000-memory.dmp

Filesize
56KB

Download
memory/3328-576-0x000000000D500000-0x000000000D522000-memory.dmp

Filesize
136KB

Download
memory/3328-579-0x000000006FD70000-0x000000006FF80000-memory.dmp

Filesize
2.1MB

Download
memory/3328-598-0x0000000075470000-0x000000007551B000-memory.dmp

Filesize
684KB

Download
memory/3328-604-0x00000000775F0000-0x00000000776EA000-memory.dmp

Filesize
1000KB

Download
memory/3328-601-0x00000000760F0000-0x0000000076109000-memory.dmp

Filesize
100KB

Download
memory/3328-600-0x0000000075AA0000-0x0000000075B29000-memory.dmp

Filesize
548KB

Download
memory/3328-599-0x0000000075F00000-0x0000000075FE3000-memory.dmp

Filesize
908KB

Download
memory/3328-596-0x00000000727E0000-0x0000000072F90000-memory.dmp

Filesize
7.7MB

Download
memory/3328-620-0x000000000E650000-0x000000000E696000-memory.dmp

Filesize
280KB

Download
memory/3328-593-0x0000000075540000-0x00000000755CD000-memory.dmp

Filesize
564KB

Download
memory/3328-592-0x0000000076190000-0x00000000761D5000-memory.dmp

Filesize
276KB

Download
memory/3328-590-0x0000000075E60000-0x0000000075EF6000-memory.dmp

Filesize
600KB

Download
memory/3328-589-0x00000000779D0000-0x0000000077C51000-memory.dmp

Filesize
2.5MB

Download
memory/3328-588-0x0000000075770000-0x00000000757E4000-memory.dmp

Filesize
464KB

Download
memory/3328-605-0x0000000075840000-0x0000000075902000-memory.dmp

Filesize
776KB

Download
memory/3328-597-0x0000000075520000-0x0000000075534000-memory.dmp

Filesize
80KB

Download
memory/3328-587-0x00000000746E0000-0x0000000074732000-memory.dmp

Filesize
328KB

Download
memory/3328-585-0x0000000076E70000-0x0000000076F2F000-memory.dmp

Filesize
764KB

Download
memory/3328-584-0x00000000777A0000-0x000000007785F000-memory.dmp

Filesize
764KB

Download
memory/3328-582-0x00000000769B0000-0x00000000769D4000-memory.dmp

Filesize
144KB

Download
memory/3328-581-0x00000000769E0000-0x0000000076BF5000-memory.dmp

Filesize
2.1MB

Download
memory/3328-707-0x0000000000780000-0x0000000003435000-memory.dmp

Filesize
44.7MB

Download