netsupport | d933149df4213449714cf63a0d63d04cb632caa97845579eae269bf16b5badcf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

classroom.cloud.1.1e32ad54-8afb-4c05-a1c5-6e3e40e93fe4.uksouth2.msi
Size

54.1MB
MD5

7ac4d934b4d49e2fe9376a5d6071e95a
SHA1

26f48f7235651115d4ae806b67867255fbff3498
SHA256

d933149df4213449714cf63a0d63d04cb632caa97845579eae269bf16b5badcf
SHA512

795429c6952e71ccd09259ce3bc4ccd6aa1a31ac193aff057ae160af8fa3000fcc7704ba3e5047c571797703fa4fbcfe7b3b40d89c2299c7bdb7c37138b64d11
SSDEEP

1572864:FTBHdo6SPs7HpTeowced2oC6ho5fstdq:FNNSPIpTeoVed22

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	WINSTALL.EXE

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	4852	msiexec.exe
8	4852	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	CICPlugin.exe
File opened (read-only)	\??\Z:	CICPlugin.exe
File opened (read-only)	\??\O:	CICPlugin64.exe
File opened (read-only)	\??\Z:	CICPlugin64.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	CICPlugin.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	CICPlugin64.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	CICPlugin.exe
File opened (read-only)	\??\X:	CICPlugin64.exe
File opened (read-only)	\??\Y:	CICPlugin64.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	CICPlugin.exe
File opened (read-only)	\??\T:	CICPlugin.exe
File opened (read-only)	\??\M:	CICPlugin64.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	CICPlugin64.exe
File opened (read-only)	\??\K:	CICPlugin.exe
File opened (read-only)	\??\R:	CICPlugin.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	CICPlugin.exe
File opened (read-only)	\??\F:	CICPlugin.exe
File opened (read-only)	\??\A:	CICPlugin64.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	CICPlugin.exe
File opened (read-only)	\??\B:	CICPlugin.exe
File opened (read-only)	\??\E:	CICPlugin.exe
File opened (read-only)	\??\J:	CICPlugin64.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	CICPlugin64.exe
File opened (read-only)	\??\G:	CICPlugin64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	CICPlugin.exe
File opened (read-only)	\??\Q:	CICPlugin64.exe
File opened (read-only)	\??\T:	CICPlugin64.exe
File opened (read-only)	\??\U:	CICPlugin64.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	CICPlugin.exe
File opened (read-only)	\??\H:	CICPlugin64.exe
File opened (read-only)	\??\S:	CICPlugin64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	CICPlugin.exe
File opened (read-only)	\??\I:	CICPlugin64.exe
File opened (read-only)	\??\P:	CICPlugin64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	WINSTALL.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100.i386.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\setupapi.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\crypt32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\devobj.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\psapi.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\profapi.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wbemsvc.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\audioses.pdb	cicStudent.exe
File created	C:\Windows\SysWOW64\DnaMsg.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	WINSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\wkscli.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wbemcomn.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\fastprox.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32full.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wsspicli.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\shlwapi.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\comctl32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\userenv.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\dhcpcsvc.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\netapi32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\winsta.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\msctf.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\Amsi.pdb	cicStudent.exe
File created	C:\Windows\SysWOW64\pcimsg.dll	WINSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wrpcrt4.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\winspool.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\samcli.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\srvcli.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\dwmapi.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\version.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\activeds.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wimm32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\netutils.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wUxTheme.pdb	cicStudent.exe
File created	C:\Windows\system32\cicclient32provider.dll	winst64.exe
File opened for modification	C:\Windows\SysWOW64\mpr.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\WLDP.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\nsi.pdb	cicStudent.exe
File opened for modification	C:\Windows\system32\cicclient32provider.dll	winst64.exe
File opened for modification	C:\Windows\SysWOW64\sechost.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\dhcpcsvc6.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\cicStudent.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wldap32.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\winhttp.pdb	cicStudent.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.pdb	cicStudent.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2074\ManageADAccount_res.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wuser32.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\wsock32.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dbghelp.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\CLBCatQ.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\DLL\iphlpapi.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\cicPlugin.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\msctf.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\pluginiemodule.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\Cloud.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wbemcomn.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\nsi.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\pcicl32_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PCIAPPCTRL.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PCIIMAGE.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\cicToolbar_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2070\cicToolbar_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\StoreSoftwareCtlCIC.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\ADM Templates\ADMX\classroom_cloud_Machine_Student.admx	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\oleaut32.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1025\pcicl32_RES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2058\pcicl32_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\VolumeControlWVI.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\DRV\winspool.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\UMPDC.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\mfc100.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\NSCommonHook.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\ManageADAccount_res.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\bcryptprimitives.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1042\ManageADAccount_res.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\adsldpc.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\iphlpapi.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\VolumeControlWVI.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\zlib1.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wtsapi32.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\wntdll.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\pcicl32_RES.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\fastprox.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\wintrust.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\winstHooks64.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\exe\cicStudent.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\mpr.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dbgcore.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\PluginSoftwareModule64_res.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1040\cicToolbar_res.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\advapi32.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\nsi.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dhcpcsvc6.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\MMDevAPI.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ADMod.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\wgdi32full.pdb	cicStudent.exe
File opened for modification	C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32full.pdb	cicStudent.exe
File created	C:\Program Files (x86)\NetSupport\classroom.cloud\NSSecurity.dll	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e1e4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\setupact.log	WINSTALL.EXE
File created	C:\Windows\Installer\e57e1e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE55F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0DA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EF96010C-AD62-4A87-A456-C1F250DAD9B7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA9F.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\{EF96010C-AD62-4A87-A456-C1F250DAD9B7}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e57e1e4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F	msiexec.exe
File created	C:\Windows\Installer\{EF96010C-AD62-4A87-A456-C1F250DAD9B7}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	WINSTALL.EXE
File created	C:\Windows\Installer\CloseHookApp64.exe	MsiExec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\C01069FE26DA78A44A651C2F05AD9D7B\1.98.1	msiexec.exe

Executes dropped EXE 15 IoCs

pid	Process
2224	WINSTALL.EXE
4312	winst64.exe
2192	cicStudent.exe
1908	GetUserLang.exe
3028	cicStudent.exe
4688	GetUserLang.exe
2684	winst64.exe
3416	Process not Found
2984	Process not Found
384	Process not Found
2604	GetUserLang.exe
3808	CICPlugin.exe
2700	CICPlugin64.exe
1864	CICPlugin.exe
3640	CICPlugin64.exe

Loads dropped DLL 57 IoCs

pid	Process
3816	MsiExec.exe
3816	MsiExec.exe
3816	MsiExec.exe
1540	MsiExec.exe
3368	MsiExec.exe
2224	WINSTALL.EXE
4312	winst64.exe
2224	WINSTALL.EXE
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
1908	GetUserLang.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
2192	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
4688	GetUserLang.exe
2192	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
2684	winst64.exe
3028	cicStudent.exe
4852	msiexec.exe
3028	cicStudent.exe
3816	MsiExec.exe
2604	GetUserLang.exe
2700	CICPlugin64.exe
3640	CICPlugin64.exe
3808	CICPlugin.exe
3808	CICPlugin.exe
3808	CICPlugin.exe
2700	CICPlugin64.exe
2700	CICPlugin64.exe
2700	CICPlugin64.exe
3808	CICPlugin.exe
2700	CICPlugin64.exe
3028	cicStudent.exe
1864	CICPlugin.exe
3640	CICPlugin64.exe
4852	msiexec.exe
4852	msiexec.exe
3816	MsiExec.exe
3416	Process not Found
3416	Process not Found
3816	MsiExec.exe
3816	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4852	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cicStudent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetUserLang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetUserLang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CICPlugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cicStudent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetUserLang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CICPlugin.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	cicStudent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM"	cicStudent.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	cicStudent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	cicStudent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	cicStudent.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Chinese = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Lithuanian = "Student"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Brazilian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\""	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Common = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Russian = "Student"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Korean = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\MexicanSpanish = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\ProductIcon = "C:\\Windows\\Installer\\{EF96010C-AD62-4A87-A456-C1F250DAD9B7}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\DefaultIcon\ = "C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\PCIVideo.exe,1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8\C01069FE26DA78A44A651C2F05AD9D7B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\ChineseT = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\NSS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Czech = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\""	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Italian = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Polish = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\""	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ThreadingModel = "Apartment"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Student = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\French = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\InstalledByMSI = "Student"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll"	winst64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.rpf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	WINSTALL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Portuguese = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Serbian = "Student"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\Turkish = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C01069FE26DA78A44A651C2F05AD9D7B\German = "Student"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with classroom.cloud Student"	WINSTALL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\ProductName = "classroom.cloud Student"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\AuthorizedLUAApp = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C01069FE26DA78A44A651C2F05AD9D7B\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3028	cicStudent.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3816	MsiExec.exe
3816	MsiExec.exe
3524	msiexec.exe
3524	msiexec.exe
3368	MsiExec.exe
3368	MsiExec.exe
2224	WINSTALL.EXE
2224	WINSTALL.EXE
2224	WINSTALL.EXE
2224	WINSTALL.EXE
2224	WINSTALL.EXE
2224	WINSTALL.EXE
2192	cicStudent.exe
2192	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
2700	CICPlugin64.exe
2700	CICPlugin64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3808	CICPlugin.exe
2700	CICPlugin64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4852	msiexec.exe
Token: SeSecurityPrivilege	3524	msiexec.exe
Token: SeCreateTokenPrivilege	4852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4852	msiexec.exe
Token: SeLockMemoryPrivilege	4852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4852	msiexec.exe
Token: SeMachineAccountPrivilege	4852	msiexec.exe
Token: SeTcbPrivilege	4852	msiexec.exe
Token: SeSecurityPrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeLoadDriverPrivilege	4852	msiexec.exe
Token: SeSystemProfilePrivilege	4852	msiexec.exe
Token: SeSystemtimePrivilege	4852	msiexec.exe
Token: SeProfSingleProcessPrivilege	4852	msiexec.exe
Token: SeIncBasePriorityPrivilege	4852	msiexec.exe
Token: SeCreatePagefilePrivilege	4852	msiexec.exe
Token: SeCreatePermanentPrivilege	4852	msiexec.exe
Token: SeBackupPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeShutdownPrivilege	4852	msiexec.exe
Token: SeDebugPrivilege	4852	msiexec.exe
Token: SeAuditPrivilege	4852	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4852	msiexec.exe
Token: SeChangeNotifyPrivilege	4852	msiexec.exe
Token: SeRemoteShutdownPrivilege	4852	msiexec.exe
Token: SeUndockPrivilege	4852	msiexec.exe
Token: SeSyncAgentPrivilege	4852	msiexec.exe
Token: SeEnableDelegationPrivilege	4852	msiexec.exe
Token: SeManageVolumePrivilege	4852	msiexec.exe
Token: SeImpersonatePrivilege	4852	msiexec.exe
Token: SeCreateGlobalPrivilege	4852	msiexec.exe
Token: SeCreateTokenPrivilege	4852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4852	msiexec.exe
Token: SeLockMemoryPrivilege	4852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4852	msiexec.exe
Token: SeMachineAccountPrivilege	4852	msiexec.exe
Token: SeTcbPrivilege	4852	msiexec.exe
Token: SeSecurityPrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeLoadDriverPrivilege	4852	msiexec.exe
Token: SeSystemProfilePrivilege	4852	msiexec.exe
Token: SeSystemtimePrivilege	4852	msiexec.exe
Token: SeProfSingleProcessPrivilege	4852	msiexec.exe
Token: SeIncBasePriorityPrivilege	4852	msiexec.exe
Token: SeCreatePagefilePrivilege	4852	msiexec.exe
Token: SeCreatePermanentPrivilege	4852	msiexec.exe
Token: SeBackupPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeShutdownPrivilege	4852	msiexec.exe
Token: SeDebugPrivilege	4852	msiexec.exe
Token: SeAuditPrivilege	4852	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4852	msiexec.exe
Token: SeChangeNotifyPrivilege	4852	msiexec.exe
Token: SeRemoteShutdownPrivilege	4852	msiexec.exe
Token: SeUndockPrivilege	4852	msiexec.exe
Token: SeSyncAgentPrivilege	4852	msiexec.exe
Token: SeEnableDelegationPrivilege	4852	msiexec.exe
Token: SeManageVolumePrivilege	4852	msiexec.exe
Token: SeImpersonatePrivilege	4852	msiexec.exe
Token: SeCreateGlobalPrivilege	4852	msiexec.exe
Token: SeCreateTokenPrivilege	4852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4852	msiexec.exe
Token: SeLockMemoryPrivilege	4852	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4852	msiexec.exe
3028	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
3028	cicStudent.exe
4852	msiexec.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3028	cicStudent.exe
3028	cicStudent.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2684	winst64.exe
3808	CICPlugin.exe
2700	CICPlugin64.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3816	3524	msiexec.exe	87
PID 3524 wrote to memory of 3816	3524	msiexec.exe	87
PID 3524 wrote to memory of 3816	3524	msiexec.exe	87
PID 3524 wrote to memory of 1524	3524	msiexec.exe	98
PID 3524 wrote to memory of 1524	3524	msiexec.exe	98
PID 3524 wrote to memory of 1540	3524	msiexec.exe	102
PID 3524 wrote to memory of 1540	3524	msiexec.exe	102
PID 3524 wrote to memory of 1540	3524	msiexec.exe	102
PID 3524 wrote to memory of 3368	3524	msiexec.exe	105
PID 3524 wrote to memory of 3368	3524	msiexec.exe	105
PID 3524 wrote to memory of 3368	3524	msiexec.exe	105
PID 3524 wrote to memory of 2224	3524	msiexec.exe	106
PID 3524 wrote to memory of 2224	3524	msiexec.exe	106
PID 3524 wrote to memory of 2224	3524	msiexec.exe	106
PID 2224 wrote to memory of 4312	2224	WINSTALL.EXE	107
PID 2224 wrote to memory of 4312	2224	WINSTALL.EXE	107
PID 2192 wrote to memory of 1908	2192	cicStudent.exe	109
PID 2192 wrote to memory of 1908	2192	cicStudent.exe	109
PID 2192 wrote to memory of 1908	2192	cicStudent.exe	109
PID 2192 wrote to memory of 3028	2192	cicStudent.exe	112
PID 2192 wrote to memory of 3028	2192	cicStudent.exe	112
PID 2192 wrote to memory of 3028	2192	cicStudent.exe	112
PID 3028 wrote to memory of 4688	3028	cicStudent.exe	113
PID 3028 wrote to memory of 4688	3028	cicStudent.exe	113
PID 3028 wrote to memory of 4688	3028	cicStudent.exe	113
PID 3028 wrote to memory of 2684	3028	cicStudent.exe	114
PID 3028 wrote to memory of 2684	3028	cicStudent.exe	114
PID 3028 wrote to memory of 2604	3028	cicStudent.exe	117
PID 3028 wrote to memory of 2604	3028	cicStudent.exe	117
PID 3028 wrote to memory of 2604	3028	cicStudent.exe	117
PID 3028 wrote to memory of 3808	3028	cicStudent.exe	118
PID 3028 wrote to memory of 3808	3028	cicStudent.exe	118
PID 3028 wrote to memory of 3808	3028	cicStudent.exe	118
PID 3028 wrote to memory of 2700	3028	cicStudent.exe	119
PID 3028 wrote to memory of 2700	3028	cicStudent.exe	119
PID 3028 wrote to memory of 1864	3028	cicStudent.exe	120
PID 3028 wrote to memory of 1864	3028	cicStudent.exe	120
PID 3028 wrote to memory of 1864	3028	cicStudent.exe	120
PID 3028 wrote to memory of 3640	3028	cicStudent.exe	121
PID 3028 wrote to memory of 3640	3028	cicStudent.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.1e32ad54-8afb-4c05-a1c5-6e3e40e93fe4.uksouth2.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Loads dropped DLL
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4852

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FBC0D18A0A025DFC0DDEAFAE69A9E797 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 87B440AB95AA3D58CA0075A71B55CFFA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 84111C7B90C03CEA17CE2BF2DE3F84DC E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
  "C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *
  2⤵
  - Sets service image path in registry
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
    winst64.exe /q /q /i
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:4312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4744

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
  "C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
  "C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4688
- - C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EBd0266,1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3808
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
    "C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e1e5.rbs

Filesize
93KB

MD5
99f5e12317530752dffadf462a08ee80

SHA1
a8b2b2a7a128932e1ef40e607f3781faf2d81392

SHA256
45ffc775c6661b952a2b858b30b740f2e269fe55de95934fafc2fc5eaa173dd4

SHA512
702c4c1b296c59fb744b4f08a1de50f0bf4be0c999b9aa5d847bfb8e078e597651ccce618cfcba4442226ec1b82941e538f95e7012246c291b1426e2e6078908

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\CONCRT140.dll

Filesize
238KB

MD5
092b95b9308e2827a3b1598add0e306d

SHA1
10321c34bbe5982c3005188afa94d1ce73964f2e

SHA256
a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f

SHA512
20464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll

Filesize
303KB

MD5
3426d49120f48e536e7767175450a337

SHA1
86507fd056c7adaf3296a8941230a121967aeb24

SHA256
b55bf64e38ca2d2fe9af3a6d2f95f9b08ab8166f5f40f3099f6d7c74ba491435

SHA512
6f0c26a1d8b5ca77b48d88f687394edf970c079ed68a19df546e74d951c17e158574aff1fc88074b4f38b285ba05fe1a0fe92e0f09ec157530e2144e55372e03

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

Filesize
33KB

MD5
dcaf9bf3061481f1d980c81444d657d1

SHA1
5c23e64f597e586fa78e8cfdecbea0f4bf2071b8

SHA256
50dcabfcec447b99d118199d006ee3ac91b0fe3f590bc67e6b2b8893d9e87f86

SHA512
fbcb957766bb2422307dba68d7ce24c3515f6a39b7bb812ba5b9d6ca9584e1042900f2854fed1a4564782880b04ce029d24281738eee8447c1ffdf1e28d925c8

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\PCICHEK.DLL

Filesize
31KB

MD5
99217812500d0ee8494dbb977ae54dfa

SHA1
df0df5f249aab9c702fa48bd24338571c41bf06b

SHA256
3cb1f60988010c08934ad7c527ff2a0cebd37f0669eb05fc534bc67af7f3f356

SHA512
801bf960846f636b1263a219c859cbf4a9c143d0c076a0b593bd5ca61085fc36ad6443a67e408ca140acfe1a3db6112b3105c6c459f3c7be5e0428cf21cbe226

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.DLL

Filesize
1.2MB

MD5
b7add7928db7c60b81b783766799aff8

SHA1
198ae0b23ccc035fdfaaef8bd7c8d84ea7920d1f

SHA256
4bc6aa2a95cf961b58e3edef2bcfc54bfb598426ded4d3cf6b58297e31c58e91

SHA512
5a7e8f910fcee1169557462ce774e06ff0419474eced6d2a23c13fa8f8955729d4ec7a0d6b510b0a22c9bdd851c9bf56407af95faaf9c0bd2644da71bb712f2d

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ADMod.dll

Filesize
227KB

MD5
72d513167a6f92a6dba7aff033269fb0

SHA1
f0022f343dab594eb3eda6be884bcc09df718feb

SHA256
5cec001d13e50f280d2a932586a349291886e70d727c63be1b0ed0e9989e303c

SHA512
a5e06840ec116c10afbfc809232b6b12cbd2881681cde9c823bf7e1ee8a9293f4200d172a8ae8523f3227ed46ac29ced8abe311c46fad9b29d91c43bfaaae5ca

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

Filesize
743KB

MD5
4526ba183e49463e1352772606787180

SHA1
5803f9f8f8fd82cf4e2ad32db8313c1dbf8ece85

SHA256
a87cd4f66d54ec06d3bd75a6a54cbbb5838433376e38b1400200332a1192d49b

SHA512
4a0686ec6f79fc45405320b9d69c2cd4f4e8050b20921c1475a1f5ba6787c2f75aed54c0baf27b4161e17ca1a49731a533ee3e1e0a1df15b53ca8afc35db9fe3

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll

Filesize
1.4MB

MD5
f9cf2db8b99dc50eab538c4d860ac1a4

SHA1
b261c9e7f082eb8649afab9a677e022f84fd2823

SHA256
865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71

SHA512
59660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

Filesize
33KB

MD5
f046947fc0215fda61b173e6632f2522

SHA1
ea80f54f5ea5057138eac3be5cebc65a758730e6

SHA256
8d93e4a3952682cb6769d061f24ba3698907e8da13c3372e87550acd0e7753eb

SHA512
7134db57d13075436fd6135b1d9de8efcaaffe912fef56975209cdd218d7f8b8234b47ec0fef0a401fe137c7b490258e7c14a89b4f70416035d635cf940d59c5

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\cicclient32provider.dll

Filesize
102KB

MD5
a4d7dbec9f09eca4c73bddc111f759a2

SHA1
d72c24be3725f439f9c42e0b92ea57cbbe56773f

SHA256
8b0c10049712f99f976c1c7a2aeecaac05f485356d20ff52085d188bc857c64c

SHA512
e968985c27895b0a60cb5cde0cf91eff1533d605af337dbf097d4d4eaeca15ef2c622760ceb2740b6a8e29345156d099a2af412ea2d1f92804f7202cc2d91586

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\cpprest_2_10.dll

Filesize
842KB

MD5
98a75771d452d5d5fafb9bdc091c512d

SHA1
67a0e43a56a15082453a9d4940e832155a3057c4

SHA256
fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72

SHA512
9dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\htctl32.dll

Filesize
609KB

MD5
39a26074fff53bb65ed23219b8c335c8

SHA1
a60b0476c1089b7395fbdbd18bc70cf897ab7181

SHA256
a4759b4c935ec37ea341cb41d3222faecb87c25ad3add3359d64261f51785f64

SHA512
61101f515fbda08849cbeb980098c1bc71ff45f4316a6a8547cc4a3382818176ea3d5b937d9499c7c04cd0941205ae2356855be42fb81fef209e1724599b338c

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.inf

Filesize
328B

MD5
26e28c01461f7e65c402bdf09923d435

SHA1
1d9b5cfcc30436112a7e31d5e4624f52e845c573

SHA256
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

SHA512
c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.sys

Filesize
32KB

MD5
1c2143adeab91d77eb5a9624bd28b283

SHA1
5f8bb1a5a6ae56af8bbd60acd1c4c67cfd8e26b1

SHA256
f897746f7fc866b9fc100f36d6896b883e55b08c5ae9e7d8358fcdb937c6c097

SHA512
0d9a5c2130496f4ef4b06ad55be7ba84190a36e0d8412fa11e816ef53bbae413cb11742c053644d6f4df44d19746db0ea420d0426b83eb1a298d42e9e48d11a2

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.DLL

Filesize
48KB

MD5
93a96634b8d685f265eb7bd2b49f4d40

SHA1
d0ebf9a80161dd0a273f14ce331b5e8112dfc81a

SHA256
1173b0c5bfbf11bb6a928ae8dd9f6c909720043772ebbf589b11d07516742963

SHA512
17b4a4fa0f7844d735413cea553218d3dd763dae915509aac6ff82ab409ab6f2f3c8eab31b6c9308c51c0d4e91c155b65e25eddd1ed9d84ab1c6e2fe7c2e48de

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\pcicl32.dll

Filesize
7.3MB

MD5
0b6d88695106ba895eff00da393d5865

SHA1
e1ac54ac03a4d7e97ef3ada245dbc28e4cae9fd9

SHA256
d707d4da17a07c495a5ce282b766d01797d54602e20d76effa9003a6beb1acd1

SHA512
c56b384dc38d46f19d895a389391eb59e8b13aa542211cd0d063e9478e569003ea90b9685abdd4cad8fedf597d698bf1a022c22cd314fbf1b8b303e1469abe9f

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\pcimsg.dll

Filesize
54KB

MD5
c10a0306999ba7d7c598155c4d503019

SHA1
6f7674088d27cec8ba4deb84e603fdabce20da3c

SHA256
13590eab09c5d40d54a7ae1fa7beabb838187d782d02ede5a5bb21110117e452

SHA512
b5d1e13f3c4200ffed17053122efb989df55a417567466452243181991498b875ae3ac88120724376038cf5e59b79320387eee5104491054b036d10eaa4b2ddc

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\product.dat

Filesize
397B

MD5
1776504eea61cb14d645e4ecf7f66fed

SHA1
5902f0fa83a830bfc9d1befa3583330354389a26

SHA256
ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed

SHA512
e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem

Filesize
1KB

MD5
3cdcf8f9b05de85c7e7008e7f4a70123

SHA1
4f2c894e8c86200efcb93ad0ebd85296d48f360c

SHA256
27f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e

SHA512
93f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\shfolder.dll

Filesize
45KB

MD5
472665ab748444f211531025e1abb9d1

SHA1
a34c7579723f6cba9cb1c4b6494bcc659854710d

SHA256
c5426e49c295507fb5b72628a7bea1b4bbe673e07b27d8ecf8b3734a4bd0612d

SHA512
57487771f4b65abb9b4226d5243b57eebbbf04bc894aada7b341e592a1f32a7c417139bc29f4e4bd21e92ddfec472e9effa1b22ac9603d7199198de63b73653c

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\vcruntime140.dll

Filesize
81KB

MD5
8e65e033799eb9fd46bc5c184e7d1b85

SHA1
e1cc5313be1f7df4c43697f8f701305585fe4e71

SHA256
be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4

SHA512
e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

Download Submit
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

Filesize
335KB

MD5
65c4909e7184be52bbe4403587fe116c

SHA1
c624ba2f8b13a5eb68fd09590e4d92fc90a393f6

SHA256
969163068ac5a2587ac3afd7d849dfe431a3e1f48bfa4ad9c1b9a5d72a99a055

SHA512
f1008a52fdc37f252e678f7ed515feb0fdb48dcab1a5a0e142d77f0c4a5792ab3390e4e29aa5d2477308406373d1d2e4e6237ad5aed772c57d53c776ddb23e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_63B8E89846540A9A5AB10630E3861342

Filesize
1KB

MD5
91f72cd29793b2244cd11526ba718bde

SHA1
04165a2f569468fc7c273630c4bc63be781ab844

SHA256
208bb7fcc9ee35961be8d3e028f3b318a530cea5a9ba1aff329e1c579f25e4cc

SHA512
a95c815bdebb039e26cbea4d023c0aebcf74fba34afb5d958de26ee24eb7d17b610169bd8c1f000053296228dd14a792b2bcd3eec5c22656b197941e557a7598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
ff01fb3b38eb09315c21feb9ad929958

SHA1
5512d2b7cbdcc0f9e95840c61f63f445c9e5d797

SHA256
e667e5121eb5032e8141e4b016b2655c328e150fd1ef63084c39c57477ab89fb

SHA512
3f3459a3d7a73d6464110de1302477d3eb01f75a595e3064088aa364937192f76eedf2389dda6b139cfd14d4a9a701524ee696a693e6049d0eb3e07d248ed42a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

Filesize
1KB

MD5
85c5a1df491170d84b180283a4b65db8

SHA1
bb5dbaca058eb51e6f0098e3dd91b6dc799261c2

SHA256
741e9b2533f69ac245a3e363bcf70a71d4e4b54768001fd37df365eed83abded

SHA512
5dc2ae75025808f4c331b7eb3a337f2737e852baddeb40c92dd012345d117a205496a6f12748adb637ec5bd80db5d539344cc67f5336669f951715f75b916ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_63B8E89846540A9A5AB10630E3861342

Filesize
536B

MD5
c01a3754f9c71d01f15cfe8355d3a9de

SHA1
70db245e745fa50753230619380ce82cc0737c77

SHA256
9bdfcd141a8aeba7b36b5d9a8e02a1785c35be5caff72fd5576da93535032608

SHA512
265e90e35dafd556c50aa3db6aea820482998a711f1080b11ca93a630738ee8e85a9b82e11bf0adb3ae579d3385a5956d37f201157e637735b7e9ff959e7f5df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
dddd4d77af8af1cb7643eacc50e860f0

SHA1
b922d4bc5727e04bc997387fa7014843ed2b8603

SHA256
a3d5d827162bd8a792e10cafbdff7b34658e4589acee08b19cd0c080a120986f

SHA512
08288a92b8ac7fe3724fca8982c5d243c3f277ffdfcaea9cbc9c09480056d42de6cc86265928e8336127a8841e3128ce1dfed0e4fabe9e532d091ae885c75793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

Filesize
508B

MD5
8f4c54d2f2d552bc3a4fcd34ad4071eb

SHA1
8be3a48aafc2a8afdec500c8df3727351f8a497c

SHA256
7e484a00c2d5f1681673e40181b61f586cdd1ca59cb7f0c89cc2e1c23fa4c26f

SHA512
fb854d0ba04a12c207fdbd6b6d9aec8ea86d4139fa05461089a7ce9f9bc9e6c4892b82785f1e8436627e3fe04b6b7e0baa776b5e7c090ea708324cf1954bd785

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9097.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI924E.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI926E.tmp

Filesize
504KB

MD5
caef4649c1b75f44c360a5574a4b9917

SHA1
a6070bd5c7258a12ae286456fbb7c5d2197d0871

SHA256
a84649e3f049f9209754cdbbdd0b09962b1a7c979271e263581dbe792e98d66e

SHA512
367872252bd58ab56400eedab653f7ccae852d20328d698b413ee31e5039660ea255f4e276680651767398a32ba90af2cb12a6a05a0f8eedd7900cd97cb1c2f1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
63b9ef805d94ebd83f7d5246220318ff

SHA1
4b746938017b9d83fde2a4dc09f8e0d4246ace26

SHA256
6ac2df0c1169b6a98044200a3b0f7813e7a955c5fbb51f626d49f8da7610915f

SHA512
e4d543b1676abf75d3be7846bcd8c29b8bc3cb7f8973fc6a41ffe04285c8f2834f4a39a3c4d56189ef7375326bb68898138ba7d0bc9961d893c63b9268cbadf1

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d6ebbe9a-d158-42d6-840e-c2868827581c}_OnDiskSnapshotProp

Filesize
6KB

MD5
2cdc35a465ae88b37a47a46a9acc4105

SHA1
ee31482b8805337dce7decc886532f9567a203ad

SHA256
4d921ed3a0ad904a6f2ef7907ef59982fe5c519a85c0b6d5ce1a45106065a1b8

SHA512
c2bcdb790804adaf3cf7dce5cbef1d337adeb4d2c79a5e1478dc607cc8cc5b525ff47249b911f8af522ea98143d77ccc78580558ac4250c62d9edd456489bcea

Download Submit
memory/3816-502-0x00000000757C0000-0x00000000759D5000-memory.dmp

Filesize
2.1MB

Download
memory/3816-503-0x00000000757C0000-0x00000000759D5000-memory.dmp

Filesize
2.1MB

Download
memory/3816-505-0x0000000075670000-0x000000007570F000-memory.dmp

Filesize
636KB

Download
memory/3816-506-0x00000000753E0000-0x0000000075664000-memory.dmp

Filesize
2.5MB

Download
memory/3816-508-0x00000000753E0000-0x0000000075664000-memory.dmp

Filesize
2.5MB

Download
memory/3816-509-0x00000000753E0000-0x0000000075664000-memory.dmp

Filesize
2.5MB

Download
memory/3816-504-0x0000000075670000-0x000000007570F000-memory.dmp

Filesize
636KB

Download
memory/3816-499-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/4852-488-0x00007FFBFD280000-0x00007FFBFD319000-memory.dmp

Filesize
612KB

Download
memory/4852-460-0x00007FFC1D180000-0x00007FFC1D4AD000-memory.dmp

Filesize
3.2MB

Download
memory/4852-491-0x00007FFC2B4A0000-0x00007FFC2B4EE000-memory.dmp

Filesize
312KB

Download
memory/4852-465-0x00007FFC2D0E0000-0x00007FFC2D81F000-memory.dmp

Filesize
7.2MB

Download
memory/4852-490-0x00007FFC2A3C0000-0x00007FFC2A48C000-memory.dmp

Filesize
816KB

Download
memory/4852-489-0x00007FFC2AEA0000-0x00007FFC2AED1000-memory.dmp

Filesize
196KB

Download
memory/4852-493-0x00007FFC1AC00000-0x00007FFC1AC2D000-memory.dmp

Filesize
180KB

Download
memory/4852-487-0x00007FFC24060000-0x00007FFC2407D000-memory.dmp

Filesize
116KB

Download
memory/4852-485-0x00007FFC23B60000-0x00007FFC23C68000-memory.dmp

Filesize
1.0MB

Download
memory/4852-483-0x00007FFC2A380000-0x00007FFC2A3BB000-memory.dmp

Filesize
236KB

Download
memory/4852-482-0x00007FFC2A380000-0x00007FFC2A3BB000-memory.dmp

Filesize
236KB

Download
memory/4852-481-0x00007FFC2A010000-0x00007FFC2A044000-memory.dmp

Filesize
208KB

Download
memory/4852-478-0x00007FFC290D0000-0x00007FFC29860000-memory.dmp

Filesize
7.6MB

Download
memory/4852-474-0x00007FFC2C6F0000-0x00007FFC2C75B000-memory.dmp

Filesize
428KB

Download
memory/4852-472-0x00007FFC2C570000-0x00007FFC2C61D000-memory.dmp

Filesize
692KB

Download
memory/4852-471-0x00007FFC2C8E0000-0x00007FFC2C9F5000-memory.dmp

Filesize
1.1MB

Download
memory/4852-470-0x00007FFC2B4F0000-0x00007FFC2B573000-memory.dmp

Filesize
524KB

Download
memory/4852-469-0x00007FFC2C3A0000-0x00007FFC2C419000-memory.dmp

Filesize
484KB

Download
memory/4852-467-0x00007FFC2B210000-0x00007FFC2B237000-memory.dmp

Filesize
156KB

Download
memory/4852-468-0x00007FFC10860000-0x00007FFC1088C000-memory.dmp

Filesize
176KB

Download
memory/4852-466-0x00007FFC2D0E0000-0x00007FFC2D81F000-memory.dmp

Filesize
7.2MB

Download
memory/4852-486-0x00007FFC2A690000-0x00007FFC2A6FA000-memory.dmp

Filesize
424KB

Download
memory/4852-484-0x00007FFC23B60000-0x00007FFC23C68000-memory.dmp

Filesize
1.0MB

Download
memory/4852-480-0x00007FFC2A130000-0x00007FFC2A147000-memory.dmp

Filesize
92KB

Download
memory/4852-479-0x00007FFC1DB50000-0x00007FFC1DB68000-memory.dmp

Filesize
96KB

Download
memory/4852-476-0x00007FFC29CA0000-0x00007FFC29CD3000-memory.dmp

Filesize
204KB

Download
memory/4852-463-0x00007FFC1D180000-0x00007FFC1D4AD000-memory.dmp

Filesize
3.2MB

Download
memory/4852-492-0x00007FFC1AC00000-0x00007FFC1AC2D000-memory.dmp

Filesize
180KB

Download
memory/4852-461-0x00007FFC1D180000-0x00007FFC1D4AD000-memory.dmp

Filesize
3.2MB

Download
memory/4852-473-0x00007FFC2C6F0000-0x00007FFC2C75B000-memory.dmp

Filesize
428KB

Download
memory/4852-459-0x00007FFC1EC10000-0x00007FFC1EC22000-memory.dmp

Filesize
72KB

Download
memory/4852-458-0x00007FFC2C440000-0x00007FFC2C56A000-memory.dmp

Filesize
1.2MB

Download
memory/4852-457-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-456-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-454-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-453-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-452-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-451-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-450-0x00007FFC2B050000-0x00007FFC2B15B000-memory.dmp

Filesize
1.0MB

Download
memory/4852-449-0x00007FFC0FB20000-0x00007FFC0FFB4000-memory.dmp

Filesize
4.6MB

Download
memory/4852-448-0x00007FFC0FB20000-0x00007FFC0FFB4000-memory.dmp

Filesize
4.6MB

Download
memory/4852-446-0x00007FFC28810000-0x00007FFC288A0000-memory.dmp

Filesize
576KB

Download
memory/4852-445-0x00007FFC28810000-0x00007FFC288A0000-memory.dmp

Filesize
576KB

Download
memory/4852-443-0x00007FFC2B5E0000-0x00007FFC2B8A9000-memory.dmp

Filesize
2.8MB

Download
memory/4852-444-0x00007FFC2B5E0000-0x00007FFC2B8A9000-memory.dmp

Filesize
2.8MB

Download
memory/4852-462-0x00007FFC1D180000-0x00007FFC1D4AD000-memory.dmp

Filesize
3.2MB

Download
memory/4852-442-0x00007FFC2B5E0000-0x00007FFC2B8A9000-memory.dmp

Filesize
2.8MB

Download
memory/4852-455-0x00007FFC2CA00000-0x00007FFC2CAAC000-memory.dmp

Filesize
688KB

Download
memory/4852-494-0x00007FFC1AC00000-0x00007FFC1AC2D000-memory.dmp

Filesize
180KB

Download
memory/4852-495-0x0000000011320000-0x0000000011373000-memory.dmp

Filesize
332KB

Download
memory/4852-477-0x00007FFC290D0000-0x00007FFC29860000-memory.dmp

Filesize
7.6MB

Download
memory/4852-475-0x00007FFC29CA0000-0x00007FFC29CD3000-memory.dmp

Filesize
204KB

Download
memory/4852-464-0x00007FFC1D180000-0x00007FFC1D4AD000-memory.dmp

Filesize
3.2MB

Download
memory/4852-447-0x00007FFC0FB20000-0x00007FFC0FFB4000-memory.dmp

Filesize
4.6MB

Download
memory/4852-441-0x00007FFC2C630000-0x00007FFC2C6EE000-memory.dmp

Filesize
760KB

Download
memory/4852-440-0x00007FFC2C630000-0x00007FFC2C6EE000-memory.dmp

Filesize
760KB

Download