netsupport | d933149df4213449714cf63a0d63d04cb632caa97845579eae269bf16b5badcf

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

classroom.cloud.1.1e32ad54-8afb-4c05-a1c5-6e3e40e93fe4.uksouth2.msi
Size

54.1MB
MD5

7ac4d934b4d49e2fe9376a5d6071e95a
SHA1

26f48f7235651115d4ae806b67867255fbff3498
SHA256

d933149df4213449714cf63a0d63d04cb632caa97845579eae269bf16b5badcf
SHA512

795429c6952e71ccd09259ce3bc4ccd6aa1a31ac193aff057ae160af8fa3000fcc7704ba3e5047c571797703fa4fbcfe7b3b40d89c2299c7bdb7c37138b64d11
SSDEEP

1572864:FTBHdo6SPs7HpTeowced2oC6ho5fstdq:FNNSPIpTeoVed22

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	WINSTALL.EXE

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2112	msiexec.exe
4	1348	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	CICPlugin.exe
File opened (read-only)	\??\W:	CICPlugin.exe
File opened (read-only)	\??\Z:	CICPlugin.exe
File opened (read-only)	\??\I:	CICPlugin64.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	CICPlugin64.exe
File opened (read-only)	\??\R:	CICPlugin64.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	CICPlugin.exe
File opened (read-only)	\??\F:	CICPlugin64.exe
File opened (read-only)	\??\P:	CICPlugin.exe
File opened (read-only)	\??\F:	CICPlugin.exe
File opened (read-only)	\??\T:	CICPlugin64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	CICPlugin.exe
File opened (read-only)	\??\W:	CICPlugin64.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	CICPlugin64.exe
File opened (read-only)	\??\G:	CICPlugin.exe
File opened (read-only)	\??\H:	CICPlugin.exe
File opened (read-only)	\??\V:	CICPlugin.exe
File opened (read-only)	\??\A:	CICPlugin64.exe
File opened (read-only)	\??\P:	CICPlugin64.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	CICPlugin64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	CICPlugin.exe
File opened (read-only)	\??\H:	CICPlugin64.exe
File opened (read-only)	\??\L:	CICPlugin.exe
File opened (read-only)	\??\Z:	CICPlugin64.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	CICPlugin.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	CICPlugin.exe
File opened (read-only)	\??\N:	CICPlugin.exe
File opened (read-only)	\??\Q:	CICPlugin.exe
File opened (read-only)	\??\U:	CICPlugin.exe
File opened (read-only)	\??\B:	CICPlugin64.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	CICPlugin.exe
File opened (read-only)	\??\X:	CICPlugin.exe
File opened (read-only)	\??\E:	CICPlugin64.exe
File opened (read-only)	\??\U:	CICPlugin64.exe
File opened (read-only)	\??\Y:	CICPlugin64.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	WINSTALL.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\cicclient32provider.dll	winst64.exe
File created	C:\Windows\SysWOW64\DnaMsg.dll	msiexec.exe
File created	C:\Windows\SysWOW64\pcimsg.dll	WINSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	WINSTALL.EXE
File created	C:\Windows\system32\cicclient32provider.dll	winst64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\NSToast.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\cicPlugin64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\cicres_100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\shfolder.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1029\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PCIHOOKS.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\wastorage.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ADMod.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\js\lockpage.js	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\blockapp.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\cicres_125.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2052\PluginSoftwareModule64_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\product.dat	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1029\cicToolbar_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\NSSecurity.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1035\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\winstHooks.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\defuser.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\AUPCIC.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\cicToolbar_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\ADM Templates\ADMX\classroom_cloud_Machine_Student.admx	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PluginDevicesModule.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\InternetMonitorCIC.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\unzdll.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1026\PluginSoftwareModule64_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PCIAPPCTRL.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1025\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\PluginSoftwareModule64_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ffmpeg.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\supporttool.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\pluginsoftwaremodule_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\3082\pcicl32_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\3082\cicToolbar_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PCIIMAGE.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\cic_lock_image_ws.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1026\pluginsoftwaremodule_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2070\PluginSoftwareModule64_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1029\pcicl32_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Sounds\StudentAnswered.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2058\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\pluginsoftwaremodule_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1046\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Sounds\StudentCorrect.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1041\ManageADAccount_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1040\pluginsoftwaremodule_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1063\cicToolbar_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\htctl32.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI500.tmp	msiexec.exe
File created	C:\Windows\Installer\f77013c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77013a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	WINSTALL.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File created	C:\Windows\Installer\{EF96010C-AD62-4A87-A456-C1F250DAD9B7}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f770139.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\CloseHookApp64.exe	MsiExec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	WINSTALL.EXE
File opened for modification	C:\Windows\Installer\f770139.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\{EF96010C-AD62-4A87-A456-C1F250DAD9B7}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f77013a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	WINSTALL.EXE
2912	winst64.exe
1988	cicStudent.exe
1736	GetUserLang.exe
1056	cicStudent.exe
1644	GetUserLang.exe
1808	GetUserLang.exe
2296	CICPlugin.exe
1944	CICPlugin64.exe
1672	CICPlugin.exe
1548	CICPlugin64.exe

Loads dropped DLL 64 IoCs

pid	Process
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
980	MsiExec.exe
2556	MsiExec.exe
2752	WINSTALL.EXE
2752	WINSTALL.EXE
2912	winst64.exe
2752	WINSTALL.EXE
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1736	GetUserLang.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1988	cicStudent.exe
1724	MsiExec.exe
1056	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe
1644	GetUserLang.exe
1056	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe
1988	cicStudent.exe
1056	cicStudent.exe
1808	GetUserLang.exe
1056	cicStudent.exe
1056	cicStudent.exe
2296	CICPlugin.exe
2296	CICPlugin.exe
2296	CICPlugin.exe
1944	CICPlugin64.exe
1944	CICPlugin64.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2112	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetUserLang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CICPlugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CICPlugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cicStudent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cicStudent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetUserLang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetUserLang.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	cicStudent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	cicStudent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	cicStudent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	cicStudent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	cicStudent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	cicStudent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	cicStudent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	cicStudent.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\NSS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Italian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Japanese = "Student"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\PackageName = "classroom.cloud.1.1e32ad54-8afb-4c05-a1c5-6e3e40e93fe4.uksouth2.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\""	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Polish = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Turkish = "Student"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ThreadingModel = "Apartment"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\ProductIcon = "C:\\Windows\\Installer\\{EF96010C-AD62-4A87-A456-C1F250DAD9B7}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\ = "cicClient32Provider"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Hungarian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Swedish = "Student"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Portuguese = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\ProductName = "classroom.cloud Student"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Arabic = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\InstalledByMSI = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8\C01069FE26DA78A44A651C2F05AD9D7B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.rpf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Bulgarian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Norwegian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\PackageCode = "DF1549309367B4E43BE0402F2CF44EA9"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /r\"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\German = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Lithuanian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\""	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\""	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Common = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Spanish = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1056	cicStudent.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1724	MsiExec.exe
1348	msiexec.exe
1348	msiexec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2752	WINSTALL.EXE
2752	WINSTALL.EXE
2752	WINSTALL.EXE
2752	WINSTALL.EXE
2752	WINSTALL.EXE
2752	WINSTALL.EXE
1988	cicStudent.exe
1988	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	CICPlugin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeSecurityPrivilege	1348	msiexec.exe
Token: SeCreateTokenPrivilege	2112	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2112	msiexec.exe
Token: SeLockMemoryPrivilege	2112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2112	msiexec.exe
Token: SeMachineAccountPrivilege	2112	msiexec.exe
Token: SeTcbPrivilege	2112	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeLoadDriverPrivilege	2112	msiexec.exe
Token: SeSystemProfilePrivilege	2112	msiexec.exe
Token: SeSystemtimePrivilege	2112	msiexec.exe
Token: SeProfSingleProcessPrivilege	2112	msiexec.exe
Token: SeIncBasePriorityPrivilege	2112	msiexec.exe
Token: SeCreatePagefilePrivilege	2112	msiexec.exe
Token: SeCreatePermanentPrivilege	2112	msiexec.exe
Token: SeBackupPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeShutdownPrivilege	2112	msiexec.exe
Token: SeDebugPrivilege	2112	msiexec.exe
Token: SeAuditPrivilege	2112	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2112	msiexec.exe
Token: SeChangeNotifyPrivilege	2112	msiexec.exe
Token: SeRemoteShutdownPrivilege	2112	msiexec.exe
Token: SeUndockPrivilege	2112	msiexec.exe
Token: SeSyncAgentPrivilege	2112	msiexec.exe
Token: SeEnableDelegationPrivilege	2112	msiexec.exe
Token: SeManageVolumePrivilege	2112	msiexec.exe
Token: SeImpersonatePrivilege	2112	msiexec.exe
Token: SeCreateGlobalPrivilege	2112	msiexec.exe
Token: SeCreateTokenPrivilege	2112	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2112	msiexec.exe
Token: SeLockMemoryPrivilege	2112	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2112	msiexec.exe
Token: SeMachineAccountPrivilege	2112	msiexec.exe
Token: SeTcbPrivilege	2112	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: SeTakeOwnershipPrivilege	2112	msiexec.exe
Token: SeLoadDriverPrivilege	2112	msiexec.exe
Token: SeSystemProfilePrivilege	2112	msiexec.exe
Token: SeSystemtimePrivilege	2112	msiexec.exe
Token: SeProfSingleProcessPrivilege	2112	msiexec.exe
Token: SeIncBasePriorityPrivilege	2112	msiexec.exe
Token: SeCreatePagefilePrivilege	2112	msiexec.exe
Token: SeCreatePermanentPrivilege	2112	msiexec.exe
Token: SeBackupPrivilege	2112	msiexec.exe
Token: SeRestorePrivilege	2112	msiexec.exe
Token: SeShutdownPrivilege	2112	msiexec.exe
Token: SeDebugPrivilege	2112	msiexec.exe
Token: SeAuditPrivilege	2112	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2112	msiexec.exe
Token: SeChangeNotifyPrivilege	2112	msiexec.exe
Token: SeRemoteShutdownPrivilege	2112	msiexec.exe
Token: SeUndockPrivilege	2112	msiexec.exe
Token: SeSyncAgentPrivilege	2112	msiexec.exe
Token: SeEnableDelegationPrivilege	2112	msiexec.exe
Token: SeManageVolumePrivilege	2112	msiexec.exe
Token: SeImpersonatePrivilege	2112	msiexec.exe
Token: SeCreateGlobalPrivilege	2112	msiexec.exe
Token: SeCreateTokenPrivilege	2112	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2112	msiexec.exe
1056	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe
1056	cicStudent.exe
2112	msiexec.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1056	cicStudent.exe
1056	cicStudent.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2296	CICPlugin.exe
1944	CICPlugin64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 1724	1348	msiexec.exe	31
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 980	1348	msiexec.exe	36
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2556	1348	msiexec.exe	38
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 1348 wrote to memory of 2752	1348	msiexec.exe	39
PID 2752 wrote to memory of 2912	2752	WINSTALL.EXE	40
PID 2752 wrote to memory of 2912	2752	WINSTALL.EXE	40
PID 2752 wrote to memory of 2912	2752	WINSTALL.EXE	40
PID 2752 wrote to memory of 2912	2752	WINSTALL.EXE	40
PID 1988 wrote to memory of 1736	1988	cicStudent.exe	42
PID 1988 wrote to memory of 1736	1988	cicStudent.exe	42
PID 1988 wrote to memory of 1736	1988	cicStudent.exe	42
PID 1988 wrote to memory of 1736	1988	cicStudent.exe	42
PID 1988 wrote to memory of 1056	1988	cicStudent.exe	43
PID 1988 wrote to memory of 1056	1988	cicStudent.exe	43
PID 1988 wrote to memory of 1056	1988	cicStudent.exe	43
PID 1988 wrote to memory of 1056	1988	cicStudent.exe	43
PID 1056 wrote to memory of 1644	1056	cicStudent.exe	44
PID 1056 wrote to memory of 1644	1056	cicStudent.exe	44
PID 1056 wrote to memory of 1644	1056	cicStudent.exe	44
PID 1056 wrote to memory of 1644	1056	cicStudent.exe	44
PID 1056 wrote to memory of 1808	1056	cicStudent.exe	45
PID 1056 wrote to memory of 1808	1056	cicStudent.exe	45
PID 1056 wrote to memory of 1808	1056	cicStudent.exe	45
PID 1056 wrote to memory of 1808	1056	cicStudent.exe	45
PID 1056 wrote to memory of 2296	1056	cicStudent.exe	46
PID 1056 wrote to memory of 2296	1056	cicStudent.exe	46
PID 1056 wrote to memory of 2296	1056	cicStudent.exe	46
PID 1056 wrote to memory of 2296	1056	cicStudent.exe	46
PID 1056 wrote to memory of 1944	1056	cicStudent.exe	47
PID 1056 wrote to memory of 1944	1056	cicStudent.exe	47
PID 1056 wrote to memory of 1944	1056	cicStudent.exe	47
PID 1056 wrote to memory of 1944	1056	cicStudent.exe	47
PID 1056 wrote to memory of 1672	1056	cicStudent.exe	48
PID 1056 wrote to memory of 1672	1056	cicStudent.exe	48
PID 1056 wrote to memory of 1672	1056	cicStudent.exe	48
PID 1056 wrote to memory of 1672	1056	cicStudent.exe	48
PID 1056 wrote to memory of 1548	1056	cicStudent.exe	49
PID 1056 wrote to memory of 1548	1056	cicStudent.exe	49
PID 1056 wrote to memory of 1548	1056	cicStudent.exe	49
PID 1056 wrote to memory of 1548	1056	cicStudent.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.1e32ad54-8afb-4c05-a1c5-6e3e40e93fe4.uksouth2.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86FCD02276A07443AA20A7A8248E4E0E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 31338C5ECEA41BB7895C5971DC8124C7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96C618DFE72FADA357D9B6F5D9F25327 M Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
  "C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *
  2⤵
  - Sets service image path in registry
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
    winst64.exe /q /q /i
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:864

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000005A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2196

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
  "C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
  "C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"
    3⤵
    - Executes dropped EXE
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77013b.rbs

Filesize
90KB

MD5
36b717907af5956932ef480a4066abb1

SHA1
c83b6d81dfd0370367ed0e749ad82b565b021871

SHA256
ec6a42e28b0951ef0ee96134600f64940734af50e2660157dd89194e694e5601

SHA512
639f540166eee33f4d86c7d6722e26cdf6b6c86ec7f99f3e32290fd4647ec6b19a4374f28be206cdb0ff640dc5455aa1df923fc84083f5ea993da4b767486163

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll

Filesize
303KB

MD5
3426d49120f48e536e7767175450a337

SHA1
86507fd056c7adaf3296a8941230a121967aeb24

SHA256
b55bf64e38ca2d2fe9af3a6d2f95f9b08ab8166f5f40f3099f6d7c74ba491435

SHA512
6f0c26a1d8b5ca77b48d88f687394edf970c079ed68a19df546e74d951c17e158574aff1fc88074b4f38b285ba05fe1a0fe92e0f09ec157530e2144e55372e03

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

Filesize
33KB

MD5
dcaf9bf3061481f1d980c81444d657d1

SHA1
5c23e64f597e586fa78e8cfdecbea0f4bf2071b8

SHA256
50dcabfcec447b99d118199d006ee3ac91b0fe3f590bc67e6b2b8893d9e87f86

SHA512
fbcb957766bb2422307dba68d7ce24c3515f6a39b7bb812ba5b9d6ca9584e1042900f2854fed1a4564782880b04ce029d24281738eee8447c1ffdf1e28d925c8

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.DLL

Filesize
1.2MB

MD5
b7add7928db7c60b81b783766799aff8

SHA1
198ae0b23ccc035fdfaaef8bd7c8d84ea7920d1f

SHA256
4bc6aa2a95cf961b58e3edef2bcfc54bfb598426ded4d3cf6b58297e31c58e91

SHA512
5a7e8f910fcee1169557462ce774e06ff0419474eced6d2a23c13fa8f8955729d4ec7a0d6b510b0a22c9bdd851c9bf56407af95faaf9c0bd2644da71bb712f2d

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\SHFOLDER.dll

Filesize
45KB

MD5
472665ab748444f211531025e1abb9d1

SHA1
a34c7579723f6cba9cb1c4b6494bcc659854710d

SHA256
c5426e49c295507fb5b72628a7bea1b4bbe673e07b27d8ecf8b3734a4bd0612d

SHA512
57487771f4b65abb9b4226d5243b57eebbbf04bc894aada7b341e592a1f32a7c417139bc29f4e4bd21e92ddfec472e9effa1b22ac9603d7199198de63b73653c

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\VCRUNTIME140.dll

Filesize
81KB

MD5
8e65e033799eb9fd46bc5c184e7d1b85

SHA1
e1cc5313be1f7df4c43697f8f701305585fe4e71

SHA256
be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4

SHA512
e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

Filesize
743KB

MD5
4526ba183e49463e1352772606787180

SHA1
5803f9f8f8fd82cf4e2ad32db8313c1dbf8ece85

SHA256
a87cd4f66d54ec06d3bd75a6a54cbbb5838433376e38b1400200332a1192d49b

SHA512
4a0686ec6f79fc45405320b9d69c2cd4f4e8050b20921c1475a1f5ba6787c2f75aed54c0baf27b4161e17ca1a49731a533ee3e1e0a1df15b53ca8afc35db9fe3

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll

Filesize
1.4MB

MD5
f9cf2db8b99dc50eab538c4d860ac1a4

SHA1
b261c9e7f082eb8649afab9a677e022f84fd2823

SHA256
865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71

SHA512
59660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
a20084f41b3f1c549d6625c790b72268

SHA1
e3669b8d89402a047bfbf9775d18438b0d95437e

SHA256
0fa42237fd1140fd125c6edb728d4c70ad0276c72fa96c2faabf7f429fa7e8f1

SHA512
ddf294a47dd80b3abfb3a0d82bc5f2b510d3734439f5a25da609edbbd9241ed78045114d011925d61c3d80b1ccd0283471b1dad4cf16e2194e9bc22e8abf278f

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
ae3fa6bf777b0429b825fb6b028f8a48

SHA1
b53dbfdb7c8deaa9a05381f5ac2e596830039838

SHA256
66b86ed0867fe22e80b9b737f3ee428be71f5e98d36f774abbf92e3aaca71bfb

SHA512
1339e7ce01916573e7fdd71e331eeee5e27b1ddd968cadfa6cbc73d58070b9c9f8d9515384af004e5e015bd743c7a629eb0c62a6c0fa420d75b069096c5d1ece

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

Filesize
33KB

MD5
f046947fc0215fda61b173e6632f2522

SHA1
ea80f54f5ea5057138eac3be5cebc65a758730e6

SHA256
8d93e4a3952682cb6769d061f24ba3698907e8da13c3372e87550acd0e7753eb

SHA512
7134db57d13075436fd6135b1d9de8efcaaffe912fef56975209cdd218d7f8b8234b47ec0fef0a401fe137c7b490258e7c14a89b4f70416035d635cf940d59c5

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\cicclient32provider.dll

Filesize
102KB

MD5
a4d7dbec9f09eca4c73bddc111f759a2

SHA1
d72c24be3725f439f9c42e0b92ea57cbbe56773f

SHA256
8b0c10049712f99f976c1c7a2aeecaac05f485356d20ff52085d188bc857c64c

SHA512
e968985c27895b0a60cb5cde0cf91eff1533d605af337dbf097d4d4eaeca15ef2c622760ceb2740b6a8e29345156d099a2af412ea2d1f92804f7202cc2d91586

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\cpprest_2_10.dll

Filesize
842KB

MD5
98a75771d452d5d5fafb9bdc091c512d

SHA1
67a0e43a56a15082453a9d4940e832155a3057c4

SHA256
fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72

SHA512
9dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.inf

Filesize
328B

MD5
26e28c01461f7e65c402bdf09923d435

SHA1
1d9b5cfcc30436112a7e31d5e4624f52e845c573

SHA256
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

SHA512
c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.sys

Filesize
32KB

MD5
1c2143adeab91d77eb5a9624bd28b283

SHA1
5f8bb1a5a6ae56af8bbd60acd1c4c67cfd8e26b1

SHA256
f897746f7fc866b9fc100f36d6896b883e55b08c5ae9e7d8358fcdb937c6c097

SHA512
0d9a5c2130496f4ef4b06ad55be7ba84190a36e0d8412fa11e816ef53bbae413cb11742c053644d6f4df44d19746db0ea420d0426b83eb1a298d42e9e48d11a2

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.dll

Filesize
48KB

MD5
93a96634b8d685f265eb7bd2b49f4d40

SHA1
d0ebf9a80161dd0a273f14ce331b5e8112dfc81a

SHA256
1173b0c5bfbf11bb6a928ae8dd9f6c909720043772ebbf589b11d07516742963

SHA512
17b4a4fa0f7844d735413cea553218d3dd763dae915509aac6ff82ab409ab6f2f3c8eab31b6c9308c51c0d4e91c155b65e25eddd1ed9d84ab1c6e2fe7c2e48de

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\pcimsg.dll

Filesize
54KB

MD5
c10a0306999ba7d7c598155c4d503019

SHA1
6f7674088d27cec8ba4deb84e603fdabce20da3c

SHA256
13590eab09c5d40d54a7ae1fa7beabb838187d782d02ede5a5bb21110117e452

SHA512
b5d1e13f3c4200ffed17053122efb989df55a417567466452243181991498b875ae3ac88120724376038cf5e59b79320387eee5104491054b036d10eaa4b2ddc

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\product.dat

Filesize
397B

MD5
1776504eea61cb14d645e4ecf7f66fed

SHA1
5902f0fa83a830bfc9d1befa3583330354389a26

SHA256
ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed

SHA512
e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem

Filesize
1KB

MD5
3cdcf8f9b05de85c7e7008e7f4a70123

SHA1
4f2c894e8c86200efcb93ad0ebd85296d48f360c

SHA256
27f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e

SHA512
93f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\ucrtbase.DLL

Filesize
879KB

MD5
3e0303f978818e5c944f5485792696fd

SHA1
3b6e3ea9f5a6bbdeda20d68b84e4b51dc48deb1d

SHA256
7041885b2a8300bf12a46510228ce8d103d74e83b1baf696b84ff3e5ab785dd1

SHA512
c2874029bd269e6b9f7000c48d0710c52664c44e91c3086df366c3456b8bce0ed4d7e5bcfe4bdd3d03b11b8245c65f4b848b6dc58e6ea7b1de9b3ca2fb3348bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc3e4339bc854a1b20aa3b193da2b631

SHA1
2a831f13018466d860fed79266cc1b43d4bc4be5

SHA256
dd821c04f1d368339b0a8f26e9abd99f4fcacaff1a5cf46657a5f53fe486ab96

SHA512
34c6d702d39ddcebbb296b2d12cce34b515fa1b0ac90cc4fcf581d08cca6c7acce2d552446ff67c1b5cbd92859948af4a2dc823b7a8ad1b1db0b14616855ff78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9C7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICC6C.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICCCA.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICD48.tmp

Filesize
504KB

MD5
caef4649c1b75f44c360a5574a4b9917

SHA1
a6070bd5c7258a12ae286456fbb7c5d2197d0871

SHA256
a84649e3f049f9209754cdbbdd0b09962b1a7c979271e263581dbe792e98d66e

SHA512
367872252bd58ab56400eedab653f7ccae852d20328d698b413ee31e5039660ea255f4e276680651767398a32ba90af2cb12a6a05a0f8eedd7900cd97cb1c2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9F8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\PCICHEK.DLL

Filesize
31KB

MD5
99217812500d0ee8494dbb977ae54dfa

SHA1
df0df5f249aab9c702fa48bd24338571c41bf06b

SHA256
3cb1f60988010c08934ad7c527ff2a0cebd37f0669eb05fc534bc67af7f3f356

SHA512
801bf960846f636b1263a219c859cbf4a9c143d0c076a0b593bd5ca61085fc36ad6443a67e408ca140acfe1a3db6112b3105c6c459f3c7be5e0428cf21cbe226

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\PCICL32.DLL

Filesize
7.3MB

MD5
0b6d88695106ba895eff00da393d5865

SHA1
e1ac54ac03a4d7e97ef3ada245dbc28e4cae9fd9

SHA256
d707d4da17a07c495a5ce282b766d01797d54602e20d76effa9003a6beb1acd1

SHA512
c56b384dc38d46f19d895a389391eb59e8b13aa542211cd0d063e9478e569003ea90b9685abdd4cad8fedf597d698bf1a022c22cd314fbf1b8b303e1469abe9f

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
f6d1216e974fb76585fd350ebdc30648

SHA1
f8f73aa038e49d9fcf3bd05a30dc2e8cbbe54a7c

SHA256
348b70e57ae0329ac40ac3d866b8e896b0b8fef7e8809a09566f33af55d33271

SHA512
756ee21ba895179a5b6836b75aeefb75389b0fe4ae2aaff9ed84f33075094663117133c810ab2e697ec04eaffd54ff03efa3b9344e467a847acea9f732935843

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfb08fb09e8d68673f2f0213c59e2b97

SHA1
e1e5ff4e7dd1c902afbe195d3e9fd2a7d4a539f2

SHA256
6d5881719e9599bf10a4193c8e2ded2a38c10de0ba8904f48c67f2da6e84ed3e

SHA512
e4f33306f3d06ea5c8e539ebdb6926d5f818234f481ff4605a9d5698ae8f2afdf79f194acd0e55ac963383b78bb4c9311ee97f3a188e12fbf2ee13b35d409900

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
3b9d034ca8a0345bc8f248927a86bf22

SHA1
95faf5007daf8ba712a5d17f865f0e7938da662b

SHA256
a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d

SHA512
04f0830878e0166ffd1220536592d0d7ec8aacd3f04340a8d91df24d728f34fbbd559432e5c35f256d231afe0ae926139d7503107cea09bfd720ad65e19d1cdc

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
c2ead5fcce95a04d31810768a3d44d57

SHA1
96e791b4d217b3612b0263e8df2f00009d5af8d8

SHA256
42a9a3d8a4a7c82cb6ec42c62d3a522daa95beb01ecb776aac2bfd4aa1e58d62

SHA512
c90048481d8f0a5eda2eb6e7703b5a064f481bb7d8c78970408b374cb82e89febc2e36633f1f3e28323fb633d6a95aa1050a626cb0cb5ec62e9010491aae91f4

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
f6b4d8d403d22eb87a60bf6e4a3e7041

SHA1
b51a63f258b57527549d5331c405eacc77969433

SHA256
25687e95b65d0521f8c737df301bf90db8940e1c0758bb6ea5c217cf7d2f2270

SHA512
1acd8f7bc5d3ae1db46824b3a5548b33e56c9bac81dcd2e7d90fdbd1d3dd76f93cdf4d52a5f316728f92e623f73bc2ccd0bc505a259dff20c1a5a2eb2f12e41b

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

Filesize
335KB

MD5
65c4909e7184be52bbe4403587fe116c

SHA1
c624ba2f8b13a5eb68fd09590e4d92fc90a393f6

SHA256
969163068ac5a2587ac3afd7d849dfe431a3e1f48bfa4ad9c1b9a5d72a99a055

SHA512
f1008a52fdc37f252e678f7ed515feb0fdb48dcab1a5a0e142d77f0c4a5792ab3390e4e29aa5d2477308406373d1d2e4e6237ad5aed772c57d53c776ddb23e07

Download Submit
memory/2112-616-0x000007FEFD6D0000-0x000007FEFD737000-memory.dmp

Filesize
412KB

Download
memory/2112-658-0x000007FEFC770000-0x000007FEFC7B7000-memory.dmp

Filesize
284KB

Download
memory/2112-602-0x0000000077210000-0x000000007732F000-memory.dmp

Filesize
1.1MB

Download
memory/2112-608-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-607-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-606-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-605-0x000007FEFD290000-0x000007FEFD2FC000-memory.dmp

Filesize
432KB

Download
memory/2112-604-0x000007FEFD290000-0x000007FEFD2FC000-memory.dmp

Filesize
432KB

Download
memory/2112-603-0x0000000077210000-0x000000007732F000-memory.dmp

Filesize
1.1MB

Download
memory/2112-609-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-610-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-619-0x000007FEF6CF0000-0x000007FEF7006000-memory.dmp

Filesize
3.1MB

Download
memory/2112-618-0x000007FEFD940000-0x000007FEFDB43000-memory.dmp

Filesize
2.0MB

Download
memory/2112-617-0x000007FEFD6D0000-0x000007FEFD737000-memory.dmp

Filesize
412KB

Download
memory/2112-600-0x00000000FF510000-0x00000000FF534000-memory.dmp

Filesize
144KB

Download
memory/2112-615-0x0000000077330000-0x000000007742A000-memory.dmp

Filesize
1000KB

Download
memory/2112-614-0x0000000077330000-0x000000007742A000-memory.dmp

Filesize
1000KB

Download
memory/2112-613-0x0000000077330000-0x000000007742A000-memory.dmp

Filesize
1000KB

Download
memory/2112-612-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-611-0x000007FEFF5E0000-0x000007FEFF6BB000-memory.dmp

Filesize
876KB

Download
memory/2112-621-0x000007FEF6CF0000-0x000007FEF7006000-memory.dmp

Filesize
3.1MB

Download
memory/2112-651-0x000007FEEFE20000-0x000007FEEFE30000-memory.dmp

Filesize
64KB

Download
memory/2112-622-0x000007FEF6CF0000-0x000007FEF7006000-memory.dmp

Filesize
3.1MB

Download
memory/2112-620-0x000007FEF6CF0000-0x000007FEF7006000-memory.dmp

Filesize
3.1MB

Download
memory/2112-665-0x000007FEFB9A0000-0x000007FEFB9F6000-memory.dmp

Filesize
344KB

Download
memory/2112-664-0x000007FEFB9A0000-0x000007FEFB9F6000-memory.dmp

Filesize
344KB

Download
memory/2112-663-0x000007FEFB9A0000-0x000007FEFB9F6000-memory.dmp

Filesize
344KB

Download
memory/2112-662-0x000007FEFD0D0000-0x000007FEFD0DF000-memory.dmp

Filesize
60KB

Download
memory/2112-661-0x000007FEFC770000-0x000007FEFC7B7000-memory.dmp

Filesize
284KB

Download
memory/2112-660-0x000007FEFC770000-0x000007FEFC7B7000-memory.dmp

Filesize
284KB

Download
memory/2112-659-0x000007FEFC770000-0x000007FEFC7B7000-memory.dmp

Filesize
284KB

Download
memory/2112-601-0x0000000077210000-0x000000007732F000-memory.dmp

Filesize
1.1MB

Download
memory/2112-657-0x000007FEFC770000-0x000007FEFC7B7000-memory.dmp

Filesize
284KB

Download
memory/2112-656-0x000007FEFBCB0000-0x000007FEFBEA4000-memory.dmp

Filesize
2.0MB

Download
memory/2112-655-0x000007FEFBCB0000-0x000007FEFBEA4000-memory.dmp

Filesize
2.0MB

Download
memory/2112-654-0x000007FEFBCB0000-0x000007FEFBEA4000-memory.dmp

Filesize
2.0MB

Download
memory/2112-653-0x000007FEFD740000-0x000007FEFD849000-memory.dmp

Filesize
1.0MB

Download
memory/2112-652-0x000007FEFD740000-0x000007FEFD849000-memory.dmp

Filesize
1.0MB

Download
memory/2112-648-0x000007FEF6C30000-0x000007FEF6C81000-memory.dmp

Filesize
324KB

Download
memory/2112-647-0x000007FEF6C30000-0x000007FEF6C81000-memory.dmp

Filesize
324KB

Download
memory/2112-646-0x000007FEF6C30000-0x000007FEF6C81000-memory.dmp

Filesize
324KB

Download
memory/2112-645-0x000007FEF6C30000-0x000007FEF6C81000-memory.dmp

Filesize
324KB

Download
memory/2112-644-0x000007FEFA550000-0x000007FEFA5C1000-memory.dmp

Filesize
452KB

Download
memory/2112-643-0x000007FEFA550000-0x000007FEFA5C1000-memory.dmp

Filesize
452KB

Download
memory/2112-642-0x000007FEFA550000-0x000007FEFA5C1000-memory.dmp

Filesize
452KB

Download
memory/2112-641-0x000007FEFA550000-0x000007FEFA5C1000-memory.dmp

Filesize
452KB

Download
memory/2112-640-0x000007FEF6C90000-0x000007FEF6CEA000-memory.dmp

Filesize
360KB

Download
memory/2112-639-0x000007FEF6C90000-0x000007FEF6CEA000-memory.dmp

Filesize
360KB

Download
memory/2112-638-0x000007FEF6C90000-0x000007FEF6CEA000-memory.dmp

Filesize
360KB

Download
memory/2112-637-0x000007FEF6C90000-0x000007FEF6CEA000-memory.dmp

Filesize
360KB

Download
memory/2112-636-0x000007FEFD070000-0x000007FEFD0C7000-memory.dmp

Filesize
348KB

Download
memory/2112-635-0x000007FEFD070000-0x000007FEFD0C7000-memory.dmp

Filesize
348KB

Download
memory/2112-634-0x000007FEFD070000-0x000007FEFD0C7000-memory.dmp

Filesize
348KB

Download
memory/2112-633-0x000007FEFD070000-0x000007FEFD0C7000-memory.dmp

Filesize
348KB

Download
memory/2112-632-0x000007FEFD070000-0x000007FEFD0C7000-memory.dmp

Filesize
348KB

Download
memory/2112-631-0x000007FEFD070000-0x000007FEFD0C7000-memory.dmp

Filesize
348KB

Download
memory/2112-630-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-629-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-628-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-627-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-626-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-625-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-624-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/2112-623-0x000007FEF6CF0000-0x000007FEF7006000-memory.dmp

Filesize
3.1MB

Download