Analysis
-
max time kernel
952s -
max time network
958s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win10ltsc2021-20250619-en
Behavioral task
behavioral3
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win11-20250610-en
General
-
Target
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
-
Size
161.9MB
-
MD5
f90bad1d98e0b83c6f7ee6de8ef14808
-
SHA1
1d68942f29c9a7dff0bf5bcec0f8a407b79dbc76
-
SHA256
c4b825fcd3b18955157e5ea94fc13baf2512c9b4d69c484d087904fe8fd8a5b7
-
SHA512
3582900b604d74a8a2977a1cbd5cf07a398db3c0af47f1c92d0f109aac40fec5ba29e174b05d7b102684ec5f6d96a27eb20b8f31639c2239ca9bacdaab9506b2
-
SSDEEP
3145728:wujlRWlJTp1m+q+fb3NtFLGlHLyupBLq6hxfOE5M77OXoNiex:wuyJvDhfRf6lH2MDPfOE5M2XoNiex
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" WINSTALL.EXE -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent CICSafeguardingAgent.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent\ = "Service" CICSafeguardingAgent.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 39 2464 MSIEXEC.EXE 41 2464 MSIEXEC.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: CICPlugin64.exe File opened (read-only) \??\E: CICToolbar.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: CICPlugin64.exe File opened (read-only) \??\L: CICPlugin64.exe File opened (read-only) \??\U: CICPlugin.exe File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: CICPlugin64.exe File opened (read-only) \??\Z: CICToolbar.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: CICPlugin64.exe File opened (read-only) \??\O: CICPlugin.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: CICToolbar.exe File opened (read-only) \??\P: CICToolbar.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\K: CICPlugin.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: CICPlugin64.exe File opened (read-only) \??\H: CICPlugin.exe File opened (read-only) \??\L: CICToolbar.exe File opened (read-only) \??\Q: CICPlugin64.exe File opened (read-only) \??\S: CICToolbar.exe File opened (read-only) \??\Z: CICToolbar.exe File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: CICPlugin.exe File opened (read-only) \??\I: CICPlugin.exe File opened (read-only) \??\R: CICPlugin.exe File opened (read-only) \??\H: CICPlugin64.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: CICToolbar.exe File opened (read-only) \??\B: CICToolbar.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: CICPlugin.exe File opened (read-only) \??\W: CICPlugin.exe File opened (read-only) \??\M: CICToolbar.exe File opened (read-only) \??\E: CICToolbar.exe File opened (read-only) \??\M: CICToolbar.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: CICPlugin.exe File opened (read-only) \??\G: CICPlugin.exe File opened (read-only) \??\N: CICPlugin.exe File opened (read-only) \??\F: CICPlugin.exe File opened (read-only) \??\W: CICToolbar.exe File opened (read-only) \??\T: CICToolbar.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\N: CICPlugin64.exe File opened (read-only) \??\T: CICPlugin64.exe File opened (read-only) \??\R: CICToolbar.exe File opened (read-only) \??\Q: CICToolbar.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" WINSTALL.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 CICSafeguardingAgent.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content cicStudent.exe File opened for modification C:\Windows\SysWOW64\ws2_32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb cicStudent.exe File created C:\Windows\SysWOW64\pcimsg.dll WINSTALL.EXE File created C:\Windows\system32\cicclient32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\advapi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winhttp.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\srvcli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dhcpcsvc.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dnsapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\UMPDC.pdb cicStudent.exe File opened for modification C:\Windows\system32\cicclient32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 cicStudent.exe File opened for modification C:\Windows\SysWOW64\dbgcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\profapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemprox.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wwin32u.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\cfgmgr32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wininet.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wkscli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wtsapi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\oleaut32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wsspicli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Windows.Storage.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winmm.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\comdlg32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\combase.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemsvc.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\nsi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msasn1.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache cicStudent.exe File opened for modification C:\Windows\SysWOW64\SHFOLDER.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shell32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 cicStudent.exe File opened for modification C:\Windows\SysWOW64\secur32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wgdi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\activeds.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\samcli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\gpapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\fastprox.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winspool.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\ole32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Amsi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\audioses.pdb cicStudent.exe File created C:\Windows\SysWOW64\DnaMsg.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\cicStudent.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcr100.i386.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wuser32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shlwapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wUxTheme.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wintrust.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData cicStudent.exe File opened for modification C:\Windows\SysWOW64\mpr.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\powrprof.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\setupapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\crypt32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb cicStudent.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\sechost.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\setupapi.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\bcrypt.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\crypt32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgcodecs481.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\StoreSoftwareCtl64.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\images\LS-512-white.png msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1035\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc CICSafeguardingAgent.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1542358329\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1320827036\crs.pb msedge.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\cicToolbar_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\zlib1.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2052\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\netutils.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wtsapi32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\fastprox.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\openvino_ir_frontend.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.11 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-sysinfo-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\pcichek.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wuser32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\ucrtbase.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\activeds.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dbgcore.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgproc481.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\22538\PluginSoftwareModule64_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSilence.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1026\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\adsldpc.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\wbemprox.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\dnsapi.pdb cicStudent.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1320827036\manifest.json msedge.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-debug-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1044\ManageADAccount_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.3 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wimm32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_lv.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_sl.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1043\pcicl32_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2070\pcicl32_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\ManageADAccount_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ur.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.14 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\pluginsoftwaremodule_RES.dll msiexec.exe File created C:\Program Files (x86)\Common Files\NSL\NSCommonHook.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2070\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\comdlg32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_nl.enc CICSafeguardingAgent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sl.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\cicToolbar_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\comdlg32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wUxTheme.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sp.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_sp.enc CICSafeguardingAgent.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_473995507\manifest.json msedge.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\injlib.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Sounds\ShowAnswer.wav msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wininet.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\MMDevAPI.pdb cicStudent.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\e57c8be.msi msiexec.exe File created C:\Windows\Installer\SourceHash{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E} msiexec.exe File opened for modification C:\Windows\Installer\MSID14A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID63E.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Installer\e57c8be.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\setupact.log WINSTALL.EXE File opened for modification C:\Windows\setuperr.log WINSTALL.EXE File created C:\Windows\Installer\e57c8c0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID2A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\CloseHookApp64.exe MsiExec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe msiexec.exe -
Executes dropped EXE 46 IoCs
pid Process 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 5156 WINSTALL.EXE 1464 winst64.exe 3512 cicStudent.exe 1572 GetUserLang.exe 1700 cicStudent.exe 4444 GetUserLang.exe 4932 winst64.exe 5408 CICSafeguardingAgent.exe 4052 GetUserLang.exe 1280 CICPlugin.exe 3948 CICPlugin64.exe 1464 CICPlugin.exe 5260 CICPlugin64.exe 544 eSafetyHookAppCIC.exe 1612 ImageAnalyzerApp.exe 4400 cichooksApp64.exe 5436 HookAppCIC64.exe 2676 Process not Found 2756 Process not Found 1008 Process not Found 3684 Process not Found 4860 StoreInvCIC.exe 5884 CICToolbar.exe 3292 IsMetro.exe 2308 IsMetro.exe 4352 IsMetro.exe 1216 IsMetro.exe 2652 IsMetro.exe 6832 CICToolbar.exe 6556 cicStudent.exe 4056 cicStudent.exe 4892 cicStudent.exe 3104 cicStudent.exe 1496 cicStudent.exe 6436 cicStudent.exe 4384 cicStudent.exe 5116 cicStudent.exe 6540 cicStudent.exe 6684 cicStudent.exe 3004 cicStudent.exe 4816 cicStudent.exe 2688 cicStudent.exe 5932 cicStudent.exe 4348 cicStudent.exe 6360 cicStudent.exe -
Loads dropped DLL 64 IoCs
pid Process 1440 MsiExec.exe 1440 MsiExec.exe 1440 MsiExec.exe 5328 MsiExec.exe 4708 MsiExec.exe 5156 WINSTALL.EXE 1464 winst64.exe 5156 WINSTALL.EXE 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 1572 GetUserLang.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 3512 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 4444 GetUserLang.exe 1700 cicStudent.exe 1440 MsiExec.exe 1700 cicStudent.exe 4932 winst64.exe 3528 Process not Found 1700 cicStudent.exe 1440 MsiExec.exe 1700 cicStudent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 4052 GetUserLang.exe 3948 CICPlugin64.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IsMetro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IsMetro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eSafetyHookAppCIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICToolbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IsMetro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICToolbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IsMetro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINSTALL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StoreInvCIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IsMetro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe -
Checks SCSI registry key(s) 3 TTPs 29 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c452df13e30c07c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c452df10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003c452df1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3c452df1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c452df100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CICSafeguardingAgent.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" cicStudent.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL" cicStudent.exe Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMEM" cicStudent.exe -
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cicStudent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000831412fd07eddb01 CICSafeguardingAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" CICSafeguardingAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" cicStudent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cicStudent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E CICSafeguardingAgent.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961238063876095" msedge.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cicStudent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached CICSafeguardingAgent.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Turkish = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Version = "33554434" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Chinese = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Hungarian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\MexicanSpanish = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductName = "classroom.cloud Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\PackageName = "classroom.cloud Student.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Arabic = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Brazilian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\NSS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\German = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\LatinAmerican = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Russian = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.rpf msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /r\"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32 winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\French = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\ = "cicClient32Provider" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Student = "NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Common = "NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Spanish = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductIcon = "C:\\Windows\\Installer\\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\\ARPPRODUCTICON.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net\1 = "C:\\ProgramData\\Downloaded Installations\\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\ChineseT = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Image_Analyzer = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Italian = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4144907350-1836498122-2806216936-1000\{CD4F7CD3-50F8-4295-BF46-14495A6A9F24} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Korean = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Lithuanian = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Finnish = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Swedish = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile WINSTALL.EXE -
Suspicious behavior: AddClipboardFormatListener 9 IoCs
pid Process 1700 cicStudent.exe 5408 CICSafeguardingAgent.exe 5764 vlc.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1440 MsiExec.exe 1440 MsiExec.exe 4420 msiexec.exe 4420 msiexec.exe 4708 MsiExec.exe 4708 MsiExec.exe 5156 WINSTALL.EXE 5156 WINSTALL.EXE 5156 WINSTALL.EXE 5156 WINSTALL.EXE 5156 WINSTALL.EXE 5156 WINSTALL.EXE 3512 cicStudent.exe 3512 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 3948 CICPlugin64.exe 3948 CICPlugin64.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5092 chrome.exe 5092 chrome.exe 5380 msedge.exe 5380 msedge.exe 5092 chrome.exe 5092 chrome.exe 6076 msedge.exe 6076 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 1280 CICPlugin.exe 5408 CICSafeguardingAgent.exe 3948 CICPlugin64.exe 5764 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 5380 msedge.exe 5380 msedge.exe 5092 chrome.exe 5092 chrome.exe 5092 chrome.exe 5092 chrome.exe 5092 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2464 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2464 MSIEXEC.EXE Token: SeSecurityPrivilege 4420 msiexec.exe Token: SeCreateTokenPrivilege 2464 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2464 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2464 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2464 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2464 MSIEXEC.EXE Token: SeTcbPrivilege 2464 MSIEXEC.EXE Token: SeSecurityPrivilege 2464 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2464 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2464 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2464 MSIEXEC.EXE Token: SeSystemtimePrivilege 2464 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2464 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2464 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2464 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2464 MSIEXEC.EXE Token: SeBackupPrivilege 2464 MSIEXEC.EXE Token: SeRestorePrivilege 2464 MSIEXEC.EXE Token: SeShutdownPrivilege 2464 MSIEXEC.EXE Token: SeDebugPrivilege 2464 MSIEXEC.EXE Token: SeAuditPrivilege 2464 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2464 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2464 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2464 MSIEXEC.EXE Token: SeUndockPrivilege 2464 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2464 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2464 MSIEXEC.EXE Token: SeManageVolumePrivilege 2464 MSIEXEC.EXE Token: SeImpersonatePrivilege 2464 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2464 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2464 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2464 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2464 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2464 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2464 MSIEXEC.EXE Token: SeTcbPrivilege 2464 MSIEXEC.EXE Token: SeSecurityPrivilege 2464 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2464 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2464 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2464 MSIEXEC.EXE Token: SeSystemtimePrivilege 2464 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2464 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2464 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2464 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2464 MSIEXEC.EXE Token: SeBackupPrivilege 2464 MSIEXEC.EXE Token: SeRestorePrivilege 2464 MSIEXEC.EXE Token: SeShutdownPrivilege 2464 MSIEXEC.EXE Token: SeDebugPrivilege 2464 MSIEXEC.EXE Token: SeAuditPrivilege 2464 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2464 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2464 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2464 MSIEXEC.EXE Token: SeUndockPrivilege 2464 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2464 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2464 MSIEXEC.EXE Token: SeManageVolumePrivilege 2464 MSIEXEC.EXE Token: SeImpersonatePrivilege 2464 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2464 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2464 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2464 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2464 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2464 MSIEXEC.EXE 1700 cicStudent.exe 2464 MSIEXEC.EXE 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe 5884 CICToolbar.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 4932 winst64.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 1280 CICPlugin.exe 5408 CICSafeguardingAgent.exe 3948 CICPlugin64.exe 544 eSafetyHookAppCIC.exe 4400 cichooksApp64.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5436 HookAppCIC64.exe 5436 HookAppCIC64.exe 5408 CICSafeguardingAgent.exe 5408 CICSafeguardingAgent.exe 5764 vlc.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe 1700 cicStudent.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 4628 4932 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 91 PID 4932 wrote to memory of 4628 4932 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 91 PID 4932 wrote to memory of 4628 4932 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 91 PID 4628 wrote to memory of 2464 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 106 PID 4628 wrote to memory of 2464 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 106 PID 4628 wrote to memory of 2464 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 106 PID 4420 wrote to memory of 1440 4420 msiexec.exe 109 PID 4420 wrote to memory of 1440 4420 msiexec.exe 109 PID 4420 wrote to memory of 1440 4420 msiexec.exe 109 PID 4420 wrote to memory of 4856 4420 msiexec.exe 115 PID 4420 wrote to memory of 4856 4420 msiexec.exe 115 PID 4420 wrote to memory of 5328 4420 msiexec.exe 118 PID 4420 wrote to memory of 5328 4420 msiexec.exe 118 PID 4420 wrote to memory of 5328 4420 msiexec.exe 118 PID 4420 wrote to memory of 4708 4420 msiexec.exe 120 PID 4420 wrote to memory of 4708 4420 msiexec.exe 120 PID 4420 wrote to memory of 4708 4420 msiexec.exe 120 PID 4420 wrote to memory of 5156 4420 msiexec.exe 123 PID 4420 wrote to memory of 5156 4420 msiexec.exe 123 PID 4420 wrote to memory of 5156 4420 msiexec.exe 123 PID 5156 wrote to memory of 1464 5156 WINSTALL.EXE 125 PID 5156 wrote to memory of 1464 5156 WINSTALL.EXE 125 PID 3512 wrote to memory of 1572 3512 cicStudent.exe 127 PID 3512 wrote to memory of 1572 3512 cicStudent.exe 127 PID 3512 wrote to memory of 1572 3512 cicStudent.exe 127 PID 3512 wrote to memory of 1700 3512 cicStudent.exe 128 PID 3512 wrote to memory of 1700 3512 cicStudent.exe 128 PID 3512 wrote to memory of 1700 3512 cicStudent.exe 128 PID 1700 wrote to memory of 4444 1700 cicStudent.exe 129 PID 1700 wrote to memory of 4444 1700 cicStudent.exe 129 PID 1700 wrote to memory of 4444 1700 cicStudent.exe 129 PID 1700 wrote to memory of 4932 1700 cicStudent.exe 130 PID 1700 wrote to memory of 4932 1700 cicStudent.exe 130 PID 1700 wrote to memory of 5408 1700 cicStudent.exe 132 PID 1700 wrote to memory of 5408 1700 cicStudent.exe 132 PID 1700 wrote to memory of 5408 1700 cicStudent.exe 132 PID 1700 wrote to memory of 4052 1700 cicStudent.exe 134 PID 1700 wrote to memory of 4052 1700 cicStudent.exe 134 PID 1700 wrote to memory of 4052 1700 cicStudent.exe 134 PID 1700 wrote to memory of 1280 1700 cicStudent.exe 135 PID 1700 wrote to memory of 1280 1700 cicStudent.exe 135 PID 1700 wrote to memory of 1280 1700 cicStudent.exe 135 PID 1700 wrote to memory of 3948 1700 cicStudent.exe 136 PID 1700 wrote to memory of 3948 1700 cicStudent.exe 136 PID 1700 wrote to memory of 1464 1700 cicStudent.exe 137 PID 1700 wrote to memory of 1464 1700 cicStudent.exe 137 PID 1700 wrote to memory of 1464 1700 cicStudent.exe 137 PID 1700 wrote to memory of 5260 1700 cicStudent.exe 138 PID 1700 wrote to memory of 5260 1700 cicStudent.exe 138 PID 4628 wrote to memory of 2352 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 139 PID 4628 wrote to memory of 2352 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 139 PID 4628 wrote to memory of 2352 4628 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 139 PID 5408 wrote to memory of 1612 5408 CICSafeguardingAgent.exe 140 PID 5408 wrote to memory of 1612 5408 CICSafeguardingAgent.exe 140 PID 5408 wrote to memory of 544 5408 CICSafeguardingAgent.exe 141 PID 5408 wrote to memory of 544 5408 CICSafeguardingAgent.exe 141 PID 5408 wrote to memory of 544 5408 CICSafeguardingAgent.exe 141 PID 544 wrote to memory of 4400 544 eSafetyHookAppCIC.exe 142 PID 544 wrote to memory of 4400 544 eSafetyHookAppCIC.exe 142 PID 5408 wrote to memory of 5436 5408 CICSafeguardingAgent.exe 143 PID 5408 wrote to memory of 5436 5408 CICSafeguardingAgent.exe 143 PID 5408 wrote to memory of 4860 5408 CICSafeguardingAgent.exe 146 PID 5408 wrote to memory of 4860 5408 CICSafeguardingAgent.exe 146 PID 5408 wrote to memory of 4860 5408 CICSafeguardingAgent.exe 146 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exeC:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe /q"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\ProgramData\Downloaded Installations\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\classroom.cloud Student.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2464
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵PID:2352
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 30CDFBDB81CF72E7508D9196B5BB6E83 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4856
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0EDB1D95CD77F395A80B670AD7C410B2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5328
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E66C2E517D7D20BD397BC5D54EF1D808 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE"C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *2⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exewinst64.exe /q /q /i3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1464
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5592
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4444
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EB100242,13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe" /LocalServer /Inventory=1 /Safeguarding=1 /SGroup=0 /DeviceGroup=6 /AupRulesEnabled=1 /EnhancedSafeguarding=13⤵
- Impair Defenses: Safe Mode Boot
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5408 -
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"4⤵
- Executes dropped EXE
PID:1612
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe" 544 500 Local\CIC_ESAFETY_IPC_KDB5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5436
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\\StoreInvCIC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3948
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"3⤵
- Executes dropped EXE
PID:5260
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe" /utf83⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x310,0x314,0x318,0x30c,0x3b4,0x7ffea8c7f208,0x7ffea8c7f214,0x7ffea8c7f2205⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1884,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:35⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2356,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:25⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2668,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2788 /prefetch:85⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3600,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:15⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3624,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:15⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:85⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:85⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:85⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:85⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:85⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=776,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:85⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6380,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:85⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:85⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=4936,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:15⤵PID:4056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:85⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=1932,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:15⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=3620,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=3680 /prefetch:15⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:85⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6460,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:85⤵PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6644,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:15⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6772,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:85⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6880,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:85⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:85⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window5⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5380 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x26c,0x270,0x274,0x268,0x29c,0x7ffea8c7f208,0x7ffea8c7f214,0x7ffea8c7f2206⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2324,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:26⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:36⤵PID:1212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2580,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:86⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:86⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:86⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4680,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4560 /prefetch:86⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4764,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:16⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4920,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:86⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4756,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:86⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5612,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:16⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=612,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:86⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4620,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:86⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:86⤵PID:5272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:86⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=824,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:86⤵PID:6492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4552,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4676,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:86⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3472,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=2992 /prefetch:86⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5836,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=3712 /prefetch:86⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4740,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:86⤵PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3988,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:86⤵PID:2884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5904,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:86⤵PID:4984
-
-
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe" /utf83⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6832
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6556
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /L"cic_lock_image.jpg"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3104
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /L"cic_lock_image.jpg"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6436
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6540
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6684
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /L"cic_lock_image.jpg"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5932
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c03⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6360
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:4500
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4cc 0x3201⤵PID:2372
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5092 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffea7aedcf8,0x7ffea7aedd04,0x7ffea7aedd102⤵PID:4600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:5612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2352,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2364 /prefetch:32⤵PID:4084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2468,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2480 /prefetch:82⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3284,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3588,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:5932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4568 /prefetch:22⤵PID:1356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:2736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4952,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:2612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=6024,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:3744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5828,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5152 /prefetch:82⤵PID:6472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5904 /prefetch:82⤵PID:6480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5872,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5924 /prefetch:82⤵PID:6488
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:5048
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5764
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5ad623b1bc9eb4fcf0ab4a3c9f7d8060d
SHA1cc6f4d324401cf304cc1a74a1af9f169a1c604ac
SHA2563e80d45bbc1d3604f827ee027c8e0552f26872c3b3b582e44196ee06a9824219
SHA51223aa46c3df2621897845895784ee27aceb83d3e0cf787b396840b004900453232b9aa95e017a99f6e5c961fd62da0f87e978f7123c1a154c8056d38480aed7c4
-
Filesize
303KB
MD5233d6c47b7c38c84c6795c3fe173525e
SHA102b87df7cff7f9b484f55c4e451bbd49d4f402ce
SHA2569d6bd498a54d006a3d41499b8442df15d4e8ef5083cda4ed4620014ce057989c
SHA512023a184f978ddbf8be714ae1437bc1da59fdc5cfac0e1ed13befbb09004951312a8fa7d30fad66e6641ec3b0ce0568c2899f1343e4f6da9ae23d4975c82063f5
-
Filesize
33KB
MD5231413407e88a179ea9a7889305bdc8d
SHA1d6031475fb06cc401352be605a4ef70c89a0c774
SHA2569a70110c7d0d1366c21e5acc69498cc67c87aef96ae67c7fb37314243a23a5a7
SHA51212cc1f4acec4159a86b76a08661ed8ce583b24ecc1a7da734e52a1416a02a330937cb1eae6b098fc8d7b69b89a651c54146de4185e6d8db4cb9790c66f658725
-
Filesize
429KB
MD51d8c79f293ca86e8857149fb4efe4452
SHA17474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA51283c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1
-
Filesize
31KB
MD5c82ffe193bfb7a4e37d84c6f69128054
SHA1b3429dc37d021432e5d47e0a2eb087268e8d1e6c
SHA256ef64a39c59562b1a731563b7c688fae45c3e8f355d402c7ebc80f19aea09f9ef
SHA512aa3bc90c072c8d9da93e55d026459930338cc083491e3c42782adc4c06cd25f16136369c63ea3252cadee5ec62e3e3b8f06b1bbaa82a8f6838d6be3e36ed7b18
-
Filesize
1.2MB
MD53cb1b4875e0115df4acf16f2d9afc195
SHA11c869c11c8113b39e7291df1bc4283d6062be810
SHA25697b0de6aff804f5634b7453b6b27ee5a2d78ab2781c9cbf59a45b8a2f6e783d3
SHA51286ec315a960ad0223d35b569927df60939109ad4d9d1f20fa990e493fb3c25a2240196a9c852ecfd4967d01d4bd39f9f6e07dace2e70a50975fde8ee1c05e2aa
-
Filesize
46KB
MD50501c0cb6cb497ab6bdcfb4424295442
SHA1d31d676024be5459f0d74a92e7bc22311a6a0fe9
SHA25673177341059297bf68283667bb03e754d86e8782a5a3b96e55e7d2b7422f6472
SHA5120c16c620117d1b939f9a09bd6e9eb6cb2022016a15e36ca93b0faa328a11345e308795c3e96eedc6379c296dad7da505cb6e05be02bca1057d3d478c1bfc131f
-
Filesize
86KB
MD5a61e06cf390215db0cbccabd20a88543
SHA1b4be0f456fbc5f143344e2563f167a32c418d739
SHA2567039caeac8385590c84003fec2d373f9dede911d853206743236ecd65f493e40
SHA512f99633b056ca0b3a167e386a9d6a44cabf6c5383b48698f9ac5e1b28cf88280058ae62698a2d0e1175bd623f558a51ca520d6c252845a0d8fc7998a36d81a380
-
Filesize
107KB
MD58115ab34ef0cc4797b814378d6e5d68b
SHA16836e7ce359605459d770e07c91b9055ae11a6f9
SHA256d84f5e874237c70e4f5643b4e60fbb20e2a2c6e2510e7c169e9de53b6676048f
SHA5124622e8fa15740f7269300741645052bca226162794886dbef05b6860af5dc88a820d4b9ff0f2344736472cc2287609002d5829f8481b0a15e18a029c265aa9c1
-
Filesize
217KB
MD5182a16b7281dafe1f3f18cdae50517b3
SHA1a1b09ceea9d4be113774091afe6c64f688d14777
SHA256e8f264a5cb5376c300fa151c7bded92d410cbb76aeee67772e240daaf7208255
SHA51276dbf7ec2235a86cbf56d4b3cd943faacff95861786cff53f50869342883e1e7d4933ef20dfb1d081e41e2509c5e28d7c7b8757e44f1e24896a5dfff4c7dc1b3
-
Filesize
85KB
MD5fd1148acce98cd2d51c3f97c8c3c14c5
SHA1ab1b65ed5bdd8be9978578f639654f7de3f1209e
SHA25681f52395f8e25205af1133c69dea1cd40a9c55ed9e15b374260f0b22a7281e42
SHA512ef9d9d1f585cc96ffaab4fe745770de6394ec2c091c72760b6f0b7c69a82b88e5143affae8fcdd0e514e680354573dc46ce4d308e5bf1918f93b0aa896261420
-
Filesize
204KB
MD55a604969f3e3635fb05a95ead6f6249f
SHA1c9650a7ba71b6a81bd805b2970eaa509f7a1a8fa
SHA256412f367ec28f2e76939ff86f1d0f269596a4885a4bdcef26e5295e75917be429
SHA512c1e07bc1dd47cdd07724eaadd35f46cbb5bcfff1a0cad4c16ec23ce9edbb9bbe69100c86937dc02718bd1bf3da4a22c9736d497c0f1d29da180f2608a129e904
-
Filesize
97KB
MD512cb5b2c2d6acda63bbdf7242b8c38c0
SHA120eb3eac8df0266826295f8c2638d5a6908132f4
SHA25663c7b0401663812ed8c9c78b84b44d603b62e48d395542efe3394c48dee6582f
SHA512a65886565b6242d56ea438ec000568eebfefc188099d25df4cfa91de2f51c07aa1862ae7865b6fd16b621cfd3f0567bdc738437db4a7d4692436f86fd20e10b7
-
Filesize
61KB
MD56cf754a46adcd324d7c93593e2d22518
SHA1f3d75e427bf61151442a129fce70c78a4937cc79
SHA256cf5eaca01cdbc596fa6d49bfef07f94a9e21b9bdcf8e661fb777aa35ffa43089
SHA5120e44bd204daf8ee0ab225fe0dd828cb1e78a81725f3ab2d20e85fac1a0efa13ff2196433149ca31626be59780f7a542e9f917d752fc4999e018cd411b406eff5
-
Filesize
208KB
MD521b301bbb8f88d75d893d475d8f657f6
SHA133afab1c540a11269cc5f46c9a3270a85d460958
SHA2565ccab2b8a6fead9a8790f1a109d6f6b8974ed3c99c3778d4ce9b1b3d58968748
SHA512b584564a1cb9204bf23f3f20ab2fcb7525463c9adcf1589b1eced7f7cc0f32128016364b1ab638546001bf20b430d56c87168559ce34c3365b86385563a35bee
-
Filesize
130KB
MD5c0b213079929efb3571a0d8fc1645909
SHA1197184e3ec72e9cf6a2e6b0dfa6abf39d145b90e
SHA25664608d9fdb41cb2f89c86a5fe6117d23f7b9b134a965ff2294c94b99640ea2c7
SHA512fe52eaeacf68a46c4acdd529ed7677f498a41769a731de37218e3e0313ee57a81a1fdd87af16f6848b0e3eab2184162bc9dd422f4bd17030388265ea9d62e2b2
-
Filesize
299KB
MD5212b239eb6604dcac0a301d6e14a59cd
SHA1d70eb5504fb7b27295597abe3de9cdbcacd03f90
SHA256f2157184a435ad69adcd4d8087b2839707cc9ac33b0f927e8b0de32c7b16b0e3
SHA512b4b3df80bc9d553035633eea773a3c54e4f1e11f145d71573bbdd90090420fab4c3d49edeaed5478348520110c28dd2cec626640725c323f0f1c394802c9597c
-
Filesize
107KB
MD5bba65f31222c17a1853c5fb9a1ba4e51
SHA124941c2361f4db7aaad352103030178d73a39206
SHA2562d5334ceed6b603e3d18cafefcffbb1c85694202625d23fcdcc23615e31b185c
SHA512bf08cd5d78a70b5f313cf736f9c01d9225ab6296a5cf3b411fe39ece69d9f8caea0cac16cc91d610ee61fe0088bcbc1f271478fce60f2aac7b2ceae1f849a632
-
Filesize
93KB
MD55341bb2685c89d671fa628ca8c0def05
SHA15babc0927c18d9a37987e9c23ddc950951a59c0e
SHA256536e984e070427f4bab27023def839c8c58d834acfb72e06c25167b0540b1394
SHA51220567a4a3d215ccee097ef94e521b70c9f8eca54983103f4469aa4367b426afdef954fca83dba9305d48201682c37eed845886761e1ffa0023b8b0768ccbcabf
-
Filesize
170KB
MD5e577c17c4891f703630d83a5315abf6e
SHA191a0f7f86cc1043d6e8abe8930e66bcaec890865
SHA256c57c19305cea56e33c7bfc204379d20ac359ac84da737c64612a91481acd068d
SHA512ef8f985118eb0b8da75516e9ce097e16bf0da05fe08d51b8d48cce6c61f3a09f44f5b41cf76a116b026e02546e686fb3b62042c9fc4c5c993849fb9272f4f2b9
-
Filesize
41KB
MD57a858a62fef9760a753b9cb07716d40e
SHA1644690afab612beb06a22b673fb024b14f341c15
SHA2566aa3e5de0a176d25570fc983315089a6a66a228c6298bd020de424120216edcc
SHA5125dc76020b04764ad268d52ee4fd623d40573ea9e9fee831acc7dc9dff15857d7fb85cb6260ac64fde718d6874759680e533f7391ff02e2e1b536eb7f96192da2
-
Filesize
62KB
MD5117e651c518b35cd481eb176a960bdde
SHA1882bf297863f1ec7ff344c81c07ef1ba5fae3c18
SHA256a5be60b9aad89d39d65f0a354afc3fabc9e869a8dd342a3a70abe1b2312e79bf
SHA512fa611903e6f2f43f3650c58ca7c879eff86626b641746a677b5729dc05570759f8f3a6e793967e713a96ed2afb25583a46e458a4786d1a44ef5a78da768d8017
-
Filesize
124KB
MD5ff4999b039e8bdc4bf2e94f362617b16
SHA14d3861a3b77dcf59f774257c54f62a0d51d328aa
SHA25682ae7b76091d42f0a59b53150b184bd77f08ecb085e5e4d608a757a85dff5928
SHA5126b9c679b1c408260bc810550b2e3b3619f2c8aad2cf9d5f0517806f1c216d5cc0a2c314ab6d1a0492306dff0086fa0edf1da4ebc482e16ffb2250a59bd235c6a
-
Filesize
66KB
MD5c8d510b9e1b084333f40a054d404884e
SHA167ee32911115462be0b0aebb728cacc5bcfb5b88
SHA256e2b3503180fa40362c1ed983852ff32dcffcc71fed05d3197c7a9996eb820f85
SHA512bdac6796fcb7f00f84375cecf1a5cfaec39afbb78956514f5a7d2c0b7b8bf55599669e571cfc856cf683dcc8a417b19bae99c76598594c9cdd647dc72ebf80b8
-
Filesize
227KB
MD5f9b4a682ca1fc4d2ea21634a034edae7
SHA128532ff051fe208d1d75e3bf413cc55a65d128a4
SHA256c1959663aa2fd4614553bf14bd0805455b8140e8c271b9aea01fc00339ed63c1
SHA5123067c7a0ea71873f68ad7b830283d3a4de5e6db161c2701c1b1f80eb6b747bb511cd748a9360127afcf01e87bbd8c39862fbb8b2ddaccf403a79c2b382d850e3
-
Filesize
2B
MD5c4103f122d27677c9db144cae1394a66
SHA11489f923c4dca729178b3e3233458550d8dddf29
SHA25696a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA5125ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54
-
Filesize
1.3MB
MD5d49157eb1caaa84fdfac88628f8134ea
SHA1ea22715e2a9d66c74ea55b6ffe46a1555b612356
SHA256e8625a6883d63407c2a7897f93701bbc488db0c2b52519b8be2b6928c669ab6b
SHA51280c32dcdf64f19c316adcf92b9c5ca2dd6d50607479b1c43058226c8b4ed9a219087d246677cafe534799bef28ab3fc825cd3ab14db7792bdaf677c6aaa73830
-
Filesize
743KB
MD5c6b9f3f79923b253424465b4055bdb28
SHA13744a1f6b0e9222ed6850d021016eca0b10bc519
SHA256ec764c26475e1c9620b642c8807142bfdb72e85e1e8bdc87cdfb0e43f90a3b62
SHA512ecb7738dcef64b3b62a708565c08a8302629a47fdd26f8630ba6359ba413e93b2c96719cdf9c8c5845d1f0d61a69a34dab84431fe6d93a249ab982d7348e57d1
-
Filesize
1.4MB
MD5f9cf2db8b99dc50eab538c4d860ac1a4
SHA1b261c9e7f082eb8649afab9a677e022f84fd2823
SHA256865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
SHA51259660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d
-
Filesize
33KB
MD5ffa0bb22a09efde0dc53cee4ad7761ce
SHA19213940d26e0d98afcd33ac3d3e021f3b99f50a6
SHA25670d8dc0d4f6c2c88bef7f8a18da833ae9c99d6da8a3b253f12fbfb91eb75b7f3
SHA512a2853aff65a297254188a2ed64ca9e1d81daaf037fd48a9d97764d1e8e90e294ace33fb4ee1151fce086299b5ced04854758f7fd6f16b5ebc25d64ea6f399f34
-
Filesize
238KB
MD5092b95b9308e2827a3b1598add0e306d
SHA110321c34bbe5982c3005188afa94d1ce73964f2e
SHA256a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f
SHA51220464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf
-
Filesize
842KB
MD598a75771d452d5d5fafb9bdc091c512d
SHA167a0e43a56a15082453a9d4940e832155a3057c4
SHA256fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72
SHA5129dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
2KB
MD5344e5f94494802ff38fa02cec9ab8e02
SHA1fb16f5357725ac40a00a608be0bc522c2b0544ea
SHA256f6f1c23bf836f7773de21292e6aebd86568993f995c0cb799a63151a67e05f12
SHA5120cb6e4ac146f4352249ecf29cfe7eb3c3105342fdfda8e6ca9e23abbf1cba179fa3a9f62b992ac700c65d6234a1679d3790f40ae948cc5e5b01443755a36f5b5
-
Filesize
39KB
MD535c66ae99109a44804f5ea8032d1377d
SHA16f769b861db4595d15733372fd4932dc226b72af
SHA256f1b455de2ec03091d0ed0d27c7e8428931208d9b3fcfc91b13b1a3eb55235064
SHA51255ce58e56a9dd1de898940bbcc79b120f1df87eb39a1b5882134478bc7f7cfa7ea3fe2038bdd573fa6a2930594f53310e8c3f02f6d32ad14af985d89174f82a5
-
Filesize
48KB
MD5bd5def2b91eaf52eba3a33eeb67cee48
SHA16cc6d4b8379cf2a59a770110d17b1f5a531a4a05
SHA2566ebc2f4a6962793da3d7cffcda8f0246be8c9eebff3591d021279b482c08926b
SHA5126f203908aa2002282cd66eb52d2a1473248afb92ae419d0d04352604c580f34308f485f9283a5b83aeb7742c2e9cdce6e3354935f226667cd5c2ba266430e975
-
Filesize
7.3MB
MD56fa0e22d7e5d4ee737878290035a0267
SHA15099b37c049fa3a91a63611535429fd18adb5c2a
SHA25679bc3ed1a07c0119719b7875865162293df573c540edbce7c08e47325c362dcd
SHA512ab5b2d0d5b862c2b9cca9e9a1e3590281b5cf94fe69ca322e335e8d59d85efebcd098c115c5a4ecf1aff6dc0acdcddc6b68ba62d4144eac3044e0df4f4f1a39e
-
Filesize
54KB
MD50880c1c48690981c8d06831956ebf69a
SHA1f112137e17e5e5c69567c431f993c338b6fc3422
SHA256dbf281d1a065ea5e3162f01b658910a39f70f24523d9d6e0ea11535055120d63
SHA51297805f65041d2fc8e2f49795cd2a9a9216dee43463112a7576e78bfb595e7b74da7121652e8bf6a8c04fbfde4c7671c4810b748b693a523d285d307eeeaaaaa6
-
Filesize
397B
MD51776504eea61cb14d645e4ecf7f66fed
SHA15902f0fa83a830bfc9d1befa3583330354389a26
SHA256ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed
SHA512e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710
-
Filesize
1KB
MD53cdcf8f9b05de85c7e7008e7f4a70123
SHA14f2c894e8c86200efcb93ad0ebd85296d48f360c
SHA25627f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e
SHA51293f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6
-
Filesize
45KB
MD5e82daaf3a38c76f3e1cd3378cdafbd64
SHA1dfbf9cee2aeac45881bcf764946f54ddc5014df5
SHA256c1c03df6cb83b1016ff3f470513f7179c8ff0d7ac7a70f7efbdee13e3dfecb1b
SHA5122ea546a44eeefbf90aada2275b53dcef14ee7eef193451f669fa7bfc9af0dfba0ba042cbc95e1557b51b22b2a26dec9ffd1daa5dbf17238c6c6852adf71ba9b7
-
Filesize
81KB
MD58e65e033799eb9fd46bc5c184e7d1b85
SHA1e1cc5313be1f7df4c43697f8f701305585fe4e71
SHA256be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4
SHA512e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd
-
Filesize
335KB
MD5183a205187acb2b5313800eb7200654f
SHA13f71e3722409a256ea8aba277e9b459906abedab
SHA2565cd1f3b175ff2a492fe581ad80f83affac3b6bf17602a06f4c5f2368373a5774
SHA51239b0ac5723df4fb480d2af1b4ffdbdc52ba3d5e6f78d8d33b954c36f3f69954645625278116a24691f5ef2b4ef0ee08e39c592175f503938fb4f5418c2d6f53d
-
Filesize
102B
MD5b0e549dcc425951a670808d628ab5181
SHA163c37e4fd9193836f0100cee2bf76585787ae94b
SHA256b2c8ee75956c3bb7ea6865137c441b916badfb99c922c17785875e784c96e29a
SHA512d6dc7c7ddd5ad8ca06a831faa6bd399c8af77e0b21cfd039c608f366fb54b8d4553fc8f947a070544f472966190cf1ca5a236d1084be824b06684b6c6e8de0dc
-
Filesize
72B
MD5a30b19bb414d78fff00fc7855d6ed5fd
SHA12a6408f2829e964c578751bf29ec4f702412c11e
SHA2569811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f
SHA51266b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
84B
MD5e0909520982fc48e47a6451443b11741
SHA10e46425274933c153ebf5a03f25e693267a8cea2
SHA2562e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654
SHA5123fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8
-
Filesize
53B
MD5b4d869dd7052d78d29b3e439565f1600
SHA1caa2cfa31729f4348a02514eba0235e72b88ce5a
SHA2560f8ee89c4a420bda691d058cdd96c874c2edeec84145c81c957e98d05e351d3c
SHA5121fda3488df8c43ad413b2e69a5e2292322fe837f7b27b88302b4e591e7e13fdceacb0af9b8bb92ca7c0d2b39abffc776c6cc35d18abb86ce91f55c719b43480e
-
Filesize
119B
MD5390af74c5ae643320cad0cef4fa8fee1
SHA122ce727f9bcff9a914eb1d58ba8384de6fbda7e1
SHA2561148c28e540b9b96237b35170a547a13165d6c7c039b8fff9e4b2cd774b92f5a
SHA512deaeeeffdddea1a9047e97d82e3bb701fb865adcd77ef9e985bb0ec5e4057155e7b83cad4f9f3dd256edf89f19d1075349cea5005dffff8420da4d0646be413a
-
Filesize
117B
MD50abdce2e93f6542edfc9dfbcfb61ce89
SHA108067386e18ea1d48d916ecae2d2583a5f6df6ce
SHA256d912b0ee06353fc36393d1c187a22d37d467e14ddb389a930ff7317b6760531c
SHA512ec60d26c4b1c1e437c5c88fd9efc504843551a51d3c1b036a5b518cbaccec6e86fddca534b96d490872c6fd53a874f765367d3784473b948f112a51addc9f730
-
Filesize
176B
MD58177721150435a9b333475e2b8a6e691
SHA18aa8981617e8f3d8967a0a4a2d20315317eba293
SHA2568a4800ed5f63b9371a024c501ee2b031af94539e32e6753214e6d99c625c018c
SHA512540c4c52030c6a4e1efcfab5eb59760c696bb3e3f1b8f93c97a6368639a911ba3d395190fc0798d99f3c63e25b6dcf2ded482bbda34d36ddd874dd20c2cfdf74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2
Filesize1KB
MD53de57e3ccdd9b8db1f0e7c725bf2aa7d
SHA18fb59a6f70ae52073ac80d8ca234228aac77343c
SHA2562ad53da1ca034894ed0a55571c739ed8750a35aa51b99f235e90f65157cb21ca
SHA512920abb22be2f3fc0feab8d22361cb07c9bc0d3c4e87e9a8025bc95ad207d1783d80007fb884a9861be81a93c9936e23972b49f19d715861b9b669356ceed3eac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5fd8a20ae034c688d34c65d0899328dd0
SHA1d8d1418441e290da13c08a0a53842995c3431779
SHA256c31307defd1c468c6351e78fdf977f2bad54d495645596af99834d55f596cbb0
SHA512707110747b13354c6fa82d82534cab8b3b0dc3b06b94494a4ad576b5d28960f00e3aeadd6ac07b99a0e9dda0765ee08e2d6b6b5b2cb13deaae48043b506f1e7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Filesize1KB
MD5e4b82021432532761b974e337ed0e76d
SHA1eafe08bf9c38219e7c31f3e4de10eb378cd6a85c
SHA25638a941ac9c4ecda3d20b0823e81f2521f8f61838f7d60b69998877c7fc95a493
SHA512430707c940340ffba8ced7ecdee071d1a9b8d54437df37f6878061c6eaff06bfb44f04435e37b6f8f238e9aabb3c3e72e4b63f83cb51033ce5db452c78f75eee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2
Filesize540B
MD5abb4201c4886dd3bcf0efab2ddb1d746
SHA13b80c690260b8a37e3bf8097c7e7feabb3b2ffde
SHA256ca35befedc1df0834c585b1d70148e69aad8aa60dd3e4990970c551962e0f278
SHA512a7a969d35ee68e3a8cd5d1b0e7d2d92de51c32cc8a2ae5b5b9b09ceaf455076c3438937204ba1bb06939f2c00da241b5a3e0257eb16db404be08928b1a40ed0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD55784c175c748493ec5a51da8f9da01d0
SHA1c9f43740413db9450c9fc52d985d9c4ce0429a35
SHA2568353184cfc18a4a5b487fb6e5afd02ee6f5a625d27ff282437dd2c5ac3adda57
SHA51268b4fba5938ea4f40d813ee28f18ecb4aa387463e9783394bfa028ca9e2ffbd98fe4a224ead1b3bc97d7fc8432ad83b7f219c5bc44185e79805251cfdce60c96
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Filesize508B
MD5e023456a35e4353b8c3868db63d16c6d
SHA13b8080723290a3683f1727bd881596ee361a49e7
SHA25632a2e43781542f1cc281b239a28335fdd1f429c2529b34a439ec1ced2f5b2edc
SHA512c56e550d8341f15c08a6bba94fd9f3400aee5c3cc0ba68d3fb05c9be1c91b03268b544c09f9ae53dbbbf78d26bf7f893e3c26dd55824e7adf02da8a604a727e7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3dbde6d3-c6b8-45df-8bf0-52a53611ae72.tmp
Filesize10KB
MD5908031e0a6b8299e77b7e6773662944e
SHA17b90a7e78e10bf2a8c00221969a2b8be91dcc26b
SHA256130bc7e85a534bcab544b5411078319bbc807557e9fb4290841ff80b27d91775
SHA512043c2bc46b943a3f5e37f1a578a2b449bf922bf09cad82c0bcb3fd1b9ebbb7e669028d1ee3150e82246219946fb48d3abd869e52916a784f7f11ca46bae77541
-
Filesize
649B
MD50b4063f834d056521d776bc95f02adf4
SHA11d4bb661137f2f1dfe50ef1f019cb5b6dff07ef0
SHA2563aa717a56e2afc0474d703af8248e2e940f7fba4e34c5e3bf110b5ef6d1a1ac6
SHA512d92696a13d9a273012e37e4784fd3c47c1e027b7c33a5495b0bc60b98ecba78af844bcc1cbec9153e2611d8fbadc96054469b44309f069e390a0a49fd2ffbf80
-
Filesize
2KB
MD5ecad59ac0e6444160730730616bed0e5
SHA132524ac1affdcb8052dedf5c2ef91ade076833fd
SHA2561d495eab533b2dd92935488528c032905bbb10005295613002720eb9ee23d5ba
SHA5127d015d2e2ac497657469f490b47798f03277242ecaeef6b626f15bd66a570f616fa319f90a220fe02976f7ff28791f6738bf07542e4bd1c25bba3d16c2a1e856
-
Filesize
523B
MD51beeca67eedfb9e27e0303d69c898f22
SHA1ba8c0906c0ef7156f0962e4305ff70818de1ba87
SHA2566a38a4b0df1cf96b2591513a37ae6dd579ad3786e56172838e2609762697f356
SHA51226f295c23e930722f17741344b3ddef2bdb1e031911bfc34a65ce627c3ac5981eeec0e33dd8d41e20a6c053323cdd29e3844a84a23e63ee963586808b8e136b3
-
Filesize
11KB
MD59a7bf1b1d20fa19afccbee520193f33c
SHA1a9a81e3e68c7db6b74cd452b3ee801ce25284228
SHA256314ea68e458ad4961d718e166db172d54428462da7fafc7b9326f79298269761
SHA5129ae65da492df43162ba0bd8691a6e9b85f63718069bdbf10a7d96bf79d5afe118c67a439325200586e8eaed5b8c38f6690ba44239f695eaa59252b650bf9412f
-
Filesize
10KB
MD56e658ffaf65cd783acfa8193a4c5bf47
SHA13515eb01f18ff1ef4bd89157b259dcac59477d55
SHA25687c4dac9f2d3001af4c496d0c595294728794130712ccfa4f61f386089a0ae25
SHA5129fcb8ca3bd85a45517a6d9b650309d44e45fa67b72ee5170160eaea459414e3c244f15a0abb9d6d76e2ec7e762c8142a2625851882ef99a97e56abea2c9290fa
-
Filesize
11KB
MD54bdce99caea45383a04b70d528693af1
SHA195a505f56d79ab8e17782830eca43e5a9a0665be
SHA256d449493c00a06151115b61ca6f5138236ae7335d97015ef69c60a9fadcf3be96
SHA5127cda14690f38b7dcec0adcf28fb9aa88c0722a30a40fdf614cb4ef32b030a82009447b9f90f2149ba051bfb31494c06950c63d46a79060cb664e0719ac4b405f
-
Filesize
13KB
MD56322da7a0ae6ef520816a82a8fa0af72
SHA1001e6e29e0d0e01de196dfcd5b39d590258fc55b
SHA25667683a8efae51faaf9e7fdebba39c907935b92f3ee714ffd0a57e871d8d5a205
SHA51282937ec67a2bfa7bbe89acea1ede67ad3bc0e615ff108ed141b2f3f10bbf8ea9438c2e4751e4f45b6261b37370a4406b615b0af3c66e8464b47fba9ff726ec04
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5b7bb593a04280087eba7df1488c357db
SHA16d7baafa2a362f273e7ba4e3127180b53aeba90d
SHA25662c432e747de113e82137b71e5fc8badaecc9eb18b0751ea98c72b5db1a37e4b
SHA512ddacb8d00fac08f669032bd563d9cdc01b3d290d71e3b215cfcf42a86a36017d654935155e0d5514f4b37bbe564e840a8dc7f444656af4acffa3afa1c0194ccd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe622e2f.TMP
Filesize48B
MD5877043a0935f4b0d1d2e4bd580e35a37
SHA1e5cc08f3da24f5df4bcd7088c0d605b7d18ee163
SHA2562349bc755a1040f1d2aae30d9e35715f35402259e64f5bf936115fc5e5306499
SHA512095c9f25c657c98c5acebd7270a69386bff1bbb71e3b75d5e27c4d673d55ca8d42fa73349c15d7cf77272bc054dfe441ba6baff62753bf6bc6e938b698147330
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fb1d23e6-c7ad-4993-90be-a4eee47101d5.tmp
Filesize11KB
MD50ac17e718f5b6e02e6151713128af5b9
SHA159d427b6157e20b3a817fceee45a2c6229b0b9b5
SHA25679014678af5dc9f45e576dca14a38a0a8dcc30fd87a41b51296a89f1b74e1231
SHA51251638f21c28bd549315e1e7fe0a830bf1d022a6c7346b52acdd026ab7cd0c394dcfdf6c9410a33541cf3a4ba24fe34db830bde74454ff605d42f5181a4a3c50f
-
Filesize
167KB
MD554a8acc893a02540df2222d9264cb0c9
SHA1a6964a8888aa342651a122444b2f1eea54496746
SHA25665bbba507f896ba634560c3df49915e79641082f127bf347545639d9cd96ea23
SHA512130263515e5890cad368ddf201729d86729b6a6ddb379a5e6af9bc4478cf25096989dfdf1f94242424c82b18be20ae2a82b98931c4aeb329a718b788020aabd0
-
Filesize
166KB
MD532afc5f55bb3dbef5c74d7e87256ae0b
SHA1980425caf433399469221f64a51bcee3713a687b
SHA2562c227a2e0054924de053de861679f4a8316d63b977bf7a7b24144f3a8925d95b
SHA51228182b051d93dffa19d143ba456dafdc679bc53e70be34e492ff6617b3c1c930471f54502f534fa21fa288de29f87cfe288b9b4ecc74a3f678c3ec4d412b5b0b
-
Filesize
166KB
MD53836592b909fe3f890348c510fcfa7dc
SHA183b246e3718370bf4d6a935a856dc9b1b2004bd2
SHA256a9ce1da34ed53e2659e23d2eea6fa8783378b3c4da29042b2b8fff2b0ae1b1da
SHA51271a01bae48687de7d8ced2d30f548be8efee344426bd27585bfc6f52dbe1d25a1df3195a370281b9e8c54c46494a2cea257621c896eebce7805ec80321d1c42f
-
Filesize
83KB
MD5808f82f4743c688a5308e65192d30837
SHA177e615dea348b18512160c86a4223ca99956025e
SHA25627c659712c6832709fefb2ae5405aa54cf49c230c84a00fcf2bc6e44cc832a85
SHA5123f87556d84babac18ab8bcc7599b40ea148a25319a90dfd3b36b24aff5960ba60b0dc8b48ea122c1d936903c46e041e2dfe251a33fc1020db4e943d0f73cdd9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\autofill_bypass_cache_forms.json
Filesize146B
MD59357a694006d8bec3d0f8c9607b76ff8
SHA16335ce691999ec10de742cd07d074eb648631259
SHA256b6c37df977f149c5a444c72ea4469ce666c7975d34c6e2e0d9d8ec416f57dd44
SHA51287c2d0192f3a78b13a691cda14da507f260d13331b792eb973869bd6dbd0f207faa48f68882be691641b46c06ed12ee8b9728a3b596df67a1f9a4831b4369a44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\edge_autofill_global_block_list.json
Filesize5KB
MD5adb5f6058f82680a26d6ed02b44e5a21
SHA16197ee74e40c742e184357dcb6dfcc7e32818cae
SHA2567655c9afb5f2ea39b18e302498b34009ca02b72451f82a6d4e7fb4d8d954f050
SHA512742dd8f6eaf1bd5f24b37e90d7a3dce7bd0a8edf399c2dec25cd92d2bd6e1d663ebab3c68234812f0144061d4f22f0c2c43de890f60e24d93133bbfe23a6d1c5
-
Filesize
509KB
MD5c1a0d30e5eebef19db1b7e68fc79d2be
SHA1de4ccb9e7ea5850363d0e7124c01da766425039c
SHA256f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1
SHA512f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a
-
Filesize
280B
MD51a9860d0a63f7df89e69a55c181657ea
SHA1491f18fcf7320563329183e5b7ce72dba250cbe8
SHA2567d6d6b6a3eebee46dfa220c021bb383ff9457706c4d700d4958c8fc71bbca8d3
SHA5122dee55713683f114f393ea12851e14236ecffe2d3e986dc5a57f87d2fa74630042234dc8914e065720ed8a6cc7464b6ea6ca7df14a8842247b3b131b6dc5f946
-
Filesize
280B
MD5dec31523e93eb89c5413b65cee25327b
SHA10ece56a2350174e96787cc817d7dcfe3f2b7413e
SHA2564dba5edfbeb00cf29210c320302e869c5b9428a669438a56092850a74232d856
SHA51270d4597d8266b0d9424ddc3ad439b885afcb5a48e2bb831754b6ce092f230c1010cdc9a562aa0bcdd728dd77eb7b7f5834e1d09bf0f011c7ae7c0ee0ab846d31
-
Filesize
280B
MD5d143dadcd7b2ddea3618fa997311e402
SHA1eda1c78e0873f3ef60d084f57eb701d3973cefbe
SHA256710a5d1d254e8506f3de4ae3a00d4c37b4288ce243ef6f540fa98e1c81c5aa27
SHA512e65001ec50b45ae54d738424708fa7a532493f9424ee6b69a57959c82661422a6eea5728788563641b77cbaafa3a6ff5140c5cb792bbc966914910381c5bf6b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD531ab342461e78f83012948f34ecc1a4f
SHA14b926521a96df0742164811034ebebea84f62594
SHA2563cedf79569f7fcaa65201087aafa3826492e8c94ddc368ee3a11c7068c460869
SHA5123d6d0fc9e6d482e15cb61bcb8681134e6a074fe1bb00180f1bd7c7f734d144c8349713963db43e20ee77c191cb9dd3af944bdc55d1dd167b5ed96ce09b7650af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD53c865173edfa68e9e0e088fc8635f460
SHA1cf0f659f9502a004ba46ceb8e3592ed031201699
SHA256f9984856d4980cdf54813d24db693ec789376410fa2d1d2ed627e3684a3f4243
SHA512724a69a90f860fc8525a96b169589bce21641a38bc4baddf08e138fa0274bfab777f21303b94149727d23949af0eeb880f0116134acff74419a31420a880d365
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe60f66a.TMP
Filesize2KB
MD51b095d2f4aaf390a5d1741e445401c07
SHA1c5bb6b96e08e6c42713207bd98c6dbe5cce02823
SHA2569618de9b397490fda20860b3949c03240c93e2e31400d9d1a65acdce004336d1
SHA512d74cba23e514388a32abe62aaabf4cd81ffe67b9edbee29864e31b9ec5df342cd33d569d26578dfe089c0eef8eb23688ffeb18dcd79e5faf9e37ca3ff6b22ebd
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\_metadata\verified_contents.json
Filesize2KB
MD5c7182c4ef7a2cd6a57e48d44bfd4af9b
SHA12e1e4746da948d83baf4bcebee618784f8ab209c
SHA2566f64306515428487987fabde07ddf1646f64ad4e3dc4841e982d40ad91459822
SHA512d8af16336b66e4f264eda4ea68de4c1763a9c9b99635184d9ece67a9ed69a09bc1088bed254b3d2a8877ba3218e043065d1e4a06c20f18b58d312d93fb84bc83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\filelist.txt
Filesize134B
MD53bf6b4eae5af15288bf0d79702f9cb78
SHA1b8a052dc4973757ae865661ea0300dea1d27f3b6
SHA256543c0e50c16159439d3dfb3f1151bc64e2f5b60a0e3824c5f93c4c5c14dd945b
SHA51225e2502ad314635035f303aa1f0f195c28af91d0b51280e5a4c9310aae65aad857073137196f41a9a2fd7ef96e54ce9b329c448d5acf87b10134168ee7652c0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\manifest.json
Filesize658B
MD52cf796650e5ad5bfb6c4a421d81734be
SHA179298d3cdd584b290d825d6fff4b857012e71992
SHA256fea905b763b26db02673c6ab14f422b21eff64de59351f0818b501dd4e7f9430
SHA5121ee7604bd7293d6296cf1368ed0dadaad7359f4d00be75e7730a9704b2205438a06ba7361554437b3e6ef352482011a90500769ff713949716c24355ee742e33
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\babylon\LICENSE.md
Filesize9KB
MD5e57b8dbca804bf4a2db759fa1a70b3cc
SHA18acc131b3698964249b08a0178f7c8c467337048
SHA2564135d3051e1bfdccf0440f6d8867a6dc1e39587694995479c3e29826e53aff63
SHA512d2ca91851daeadedcda21ecee4cf7c9244cf21a15709e472014ba6a332a374cba80acd165b2650ce2c3994c7d0156376c22db00fe0c47833e0fca466bcb8c627
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\babylon\babylon.js
Filesize1.2MB
MD5e1adfd8f62854c2d9ce65f13268c1ac1
SHA1d564ea1d59305bbec12995ee43f1c28838e82519
SHA256b5a426a0769b378e196ab2698c14a326d86ab2443010e16e4ac3cdde06371e6d
SHA512ffdf74b8bba179c7d5d6d49205b8aebfc7b27395852d05f1ae5de5c23b5dfbd87776f2046fad20b652a7663dacf90da0336a802985bad14ba3591bbfd9ca4caa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\typescript\LICENSE.txt
Filesize9KB
MD5f632dfdde0adc0da86f701c6f2df38af
SHA15a7612b4d9977a7e79f60e88df556b09a90df828
SHA25643692cfafa6a5c09136cfa0138b9c78efeb56ee6b9174553dbf704b888771f6a
SHA51287722a2d675028d18ea276dcf18c24e891a0bad5f85f7387702310976d2fb8e1d0687321b0844b6c47947e6fbb489fe08bd1ffbe9772955ac7191ba4e274c8a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\typescript\typescript.js
Filesize10.4MB
MD5d931cf27eb964f239e5bec661810abf5
SHA11616508213014fa7cdb50e691cf737169019c6ed
SHA256986134e07f34257fd85c084441c825d7d8951705a0b8c76b0d7c5499536cc959
SHA5129c2bae1025c1c9579e5e7ba8119e11bc298bbf968aaaaea94f12b8a96155f63bcdbce60deb1445c484aeef3fcfdf96156fc804c2867726617e7b772440989fb6
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\devtools_devtools_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
4KB
MD5acb75893057c384e27e360fc8f086786
SHA10292474d6b3f74e36ccc2da9e14866e3dc51e3e8
SHA256491f267c09ffa70e10a32329f96de9d100feb18076f088cce383842ddf7aadcf
SHA5127ea7f1c139a97d0cbece80c4dd7b36fab886e075becd395631637247525c0127a3cf631e48382b6607d21faea688cc2b495d6d26e8aad27f9bc85cc60b2595ae
-
Filesize
4KB
MD57f8abe6e55d2723e9c232fabc0d30b01
SHA104a41d4202fb27282e70a5be271bbd774f965537
SHA2561c7981789ff6261766ae5d204ce30eba753406b24e5ac4165c29ed8fca7175bd
SHA512397699e7b0ff2fe137ba73efaef1b0ccdd3398b6452197564d0a867736ca9eaaf5575b8b66c1c717798d834d83f5b9f163bb01a0da58e57a95362ad72b3802f9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD5da9fe265efb88831f7f843f6fe7f47de
SHA106b194e26193d6d9f41261c557891c1a1b934015
SHA2562be86fbf26189612bc182ced03d462ebd40a1cb7dd4abcf2a1047320a32653f8
SHA51211dcf7d118bf637c727de9f7b90dc20e13da57f2630f2c0dcafa0c4df00268d0d9507bd95a1486fb63af43816cb052d540157b5337cbc21e97ca0e213b62f2fd
-
Filesize
18KB
MD5b06aaa79c55b3e0454379a00bbacb72e
SHA1c99c42cb6d7289492570f2cf491a1700d6a474ca
SHA256480b72ac4c71b7ca8aacb6281f080f57c6a9ddfc54bc5dd4a480bc90f475c673
SHA5123f38260674b3b976980a5f9e2ac3a8b754b1d3d6641ae49060e837acd08abf8cb6d42b7da4874cd36c1089fc562eadc19fb92101614e17b6f2bac4e444181675
-
Filesize
36KB
MD5e245f136eae0910af788818da98e2472
SHA1c068b135b16c280fe7264b593296ab9db194c844
SHA256d5b0d1b1efea010af55b8fede2065286861bd2a3d3c0f40241d3146c99e1dc6f
SHA512359178941502edc12ab976b4e40bc5ca6d5d15f86e0bb8abf31743f67b4ad1ba3a76e51a5082d14de2a8231adbf17f747fb22eb41a2c2e57f11832f7131a0bb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\36fc7fb0-4b00-47fd-a2be-bf10b1b92d0b\index-dir\the-real-index
Filesize72B
MD56231c3c73bb184989c463977297f96b8
SHA1433c55449d96ab79bc01e5d29648d8b283fead8f
SHA256cfcafea1baaf74fa4e577ed95be25c7d344299a7c14fcfd3d04f5e6869ec222d
SHA512abcacc5ceadc8c224c3857d505a832eba278c076c340722189ba7884bcf377791632ef597aa2016d2f094ffa2cdd8c06715c00c9b14e2461e54a2353af1a75b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\95ebebec-c29b-47cb-9d8d-df2d34226b29\index-dir\the-real-index
Filesize2KB
MD53df341a840fd460289915a2fc1de867f
SHA17314f9878142ba234fbef4f87f692c26d3fef47b
SHA2568837c13c325082906b6ec47ca52479d6dc12932a70dfa7638f61b7ed1d30d012
SHA5126e740183e7c2bb51ff31f2d6c71ac3eb04ae24e10cd72a06484b82f6d17ab36b5f49d8879871bc3040f5e5d94af45d785f977d5799391b25215efa66e2049a9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\95ebebec-c29b-47cb-9d8d-df2d34226b29\index-dir\the-real-index~RFe60fb9a.TMP
Filesize48B
MD552084b4b5ce2e27b6295b7519c02121a
SHA1ab38c5f3eb54b1e9c56b96e3a25e7735b57b365a
SHA2561c8c99775cdbc4e5d979daf38bce3b1de4106b4d52fad0f49afa6e4382dc6025
SHA5129c85b886794d25cf61023b04c490e0c4e9fb5dd06aa61ea619052ffa68c68029203611cd90309377949785991e9db2c85c5e24abad0687b6416741e41b6eb27b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9632ab6d-daef-4b45-8e34-eba1e9068056\index-dir\the-real-index
Filesize72B
MD5f648935b42dd95f7d237240f09433b88
SHA1942450c85f3f1c014936d294013a82135c7c612b
SHA256bd9b0b7307a65c9bf96e2cef171776369676cff5c14598a2b8fa6f4f591e3603
SHA51287a6c5de0ff7a404f3a1f4aa78c688a69cdb33f0d352d0fe26877067264b9878f741c0f58058b604625b796e0ad5cba4a3f8f43d44db927f849f0510738d25b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize324B
MD5f1d1b212fa3a370eaff1c8d58bc45cb7
SHA1d3f3c771f8b3b1c63a81353775a2c48a6d8396cb
SHA256430c0d8896acdee0da3de9668485e3aae1a365734cf2ae451a8d24efdf900d6e
SHA512b1ec95706df2f980b1da3a89e5c668699791df3f0c92fd11492fe483563f961aea1bdeb38f9ca3cd08e67ceeab96a35531824f6cde69f2b9abc047bdf19d6388
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize320B
MD5087ea015c5957db7a78acb6a4a6f8ef2
SHA1280dce5eb33202b8c53f3d0fa2ade60fe9302ae2
SHA256bb643bb8fafc6bafb7eabf0b583b50d9b4d7703edf4e258094c63d13056a61eb
SHA51264b98ebcfb35141e40edfaa9d2336d01a709b83c6d3e2ffb101836efff94f92664e625f8fc43d1a6d62603daf7077fa4af734967343bbd333ae0481ebcf1b8dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize322B
MD511d0a713aaba0cfb4419433b53fea6a2
SHA111854ca283944af449f5aaaa7478e82b256fc553
SHA256025af480ca2d3b3e2d4cdb1a3209f20ff42aa667cf00fcae20eb4f825e1bca4b
SHA512a8b841ac7aa2b49ae2e31f0fce17d16b48bdcf62f2326a97eb636bcbb4f5c2c878336a4cdb31018435048042554e745ab9f1e5fe67380304c1b385aed7588904
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5b85bcd3ee796bf8d8cc52cb8dd5ab6e4
SHA1b1666e9ec862d03a5ca8509a0758aeec81a21a79
SHA25694d65a384445486663a8ab92dff67252f37cfa9fcc8e3de6e28e40b6de5e1f5c
SHA51222195a341d2e8dc46d070d43467de93a7f8b603ffcf3fef4b8fce570b21292414e4d05294afa0a59bcd660126aa48f105762bd17ae96cc3979c7994c3c477a0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync App Settings\kfbdpdaobnofkbopebjglnaadopfikhh\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
22KB
MD54ca4108600f11999de2bc3b9bae7e627
SHA18dca62f12325b70429d4024b63389ba182e29e05
SHA256e486db8cacd21a271c2b084af0d35f294fe73c399f21431272e749bc9bc27703
SHA512db3f757424b49eb9f5c59eda78e3121a0334163609020df9c14893ee7ecef44bf5f889f451085b7c5df066cbf00bf7c988c076d921053a32505e47f84caa8871
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c09d2144-a007-4717-a74e-c9816be45657.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
137KB
MD51bee2c36cebf096d8a559d5c4eeacff7
SHA1c695eda67f31d729dfc336b8a471ad6346a39031
SHA2565e4014e267eec120e673cfbc407e4340c234a7898319b35a304ed6ea343a7999
SHA512ba520d383be95d8b15140b7e38e4e7ac03077bbbb8ee5326ac4162be9403bc9f0576e53840fc22cd9c4038f19f60bdeb7b4e8e0125da6ed80670238de812b4b5
-
Filesize
462B
MD5fa59002999ddfac171bbce6fb79e8b82
SHA183fdee7e99e7aa3ef54d101418986b473db021b3
SHA256655db15ef208dfb6c363184fcd253414721771b8f9e360d651ebfcf60bd4255d
SHA512aebb1407da70843df22080f1473505eaf452d85d0374a129a95aea87117dbf6d8be3be534ada1028a8a72fe88d631e4038ab39c446ad068d07415635b47464d8
-
Filesize
264KB
MD52a16891dc6f1b5cef8c97fe2975889c4
SHA12b4fc0e7ab889d0efd2600cf3e2e01c5eb9146a9
SHA2564be7abe72bb0dbfed4ed77abbf669dacdb0c7cb2719e3e293a2e25d68fdd55ee
SHA51247294dc4e2a798f75b7bda563db93e9d264c775044b66b6ce5fa7c2cc1c781d7f9dcd5b2e2d5a52f0f221872ab218883ee259eed77a4f3d93c0376e3ac7a31ff
-
Filesize
45KB
MD560c59422aed0412b9c0529a2f84f647c
SHA1166737aa82e7955b8b8b1c576a8d87593315aa3e
SHA2561d81511bdb1c4db0eaa071ad9cbf3f5f14b8e13cffd7f1e910dcce5f9983655b
SHA512d5f43cd7dd278240fe6842326fbb7d6fec7b72a31aa537dd4e416f31ca3a1090880f30b79e54d5dfa4901c18282a2a3c61b846c674a7cb477e4cbf90435ef0ca
-
Filesize
37KB
MD5671131be7ba3ee137a9388526128fa21
SHA1a714c652bbdc792d00e2ae614bd4807f476aaf63
SHA2560127ae2459a3dbb976b1c34b8dcc887d19ec30eb6f58460ca1a27520ffecc934
SHA512d50ce0a4c830272422a0bdf4b61b2072c98d0e7ba9662d662f703ef7a03b8e79740d9e6f74acb9a03c30a58d5934cd9f653e9dda914150df9eea8a26458f3dac
-
Filesize
52KB
MD53897add8f29df00e81562b0799cef05f
SHA133164e3cc1593782416f3f7b0d67c204594048b0
SHA25683d918ef0c433f2ec5ec9dd452c6030ffbe7f3cfb9ffb18a54347a4665598cff
SHA512506f50a53fb89e044fdb520e032a919a9d3f77ee10034f6b762d1fb3b688e78f97a872f4287444dc2e260f9523b88fc3b4bc973e0dab0dc427c421da8caa5daf
-
Filesize
38KB
MD52dc8ee210e55476175626703693f90b1
SHA13a484007c4718eca7dff53f1866e7202c123175a
SHA2565d23c980b58a0aa2b3be11d3f9a12d76eeed8c8e5850e859ee0aa4007d3b7d1a
SHA512ee1a6b9896fe16edb9e84acef706a7924c756e076483460fdfc46bd5c4bb80fa32288c95dcf42db539d638c0012fd820703788f1c33328c9d8181b9dd1bd3c35
-
Filesize
45KB
MD5963dbc0902b7d11472bcfaf0c7f11cf7
SHA1b0933fb9a7250479e19c7c6de868d84cfd7bf981
SHA25683fc398004b286c82d7612bad35445477cb2e6b567ea2cc03c80878bd93ac90a
SHA512761c7b74087e6b7b106e3c0ec08ebaad4e1ca95fa5cc0c04b0ca0b0d35640c7535e01e3b12bfaaad74dd7f5d5a4a53c7bcb53e49ce19e1f56c076de51c7fdf74
-
Filesize
45KB
MD5d3f0b25ab1dcf259c4fb84e55011d19f
SHA1350b9caef5ad871ec26860100b4a36f671943145
SHA25669132b81d39c2ac76fcc376bb4098d49aeb241f7902fc9bed908d46a465574e8
SHA5129acf159eabd754150839a908bcbdd71c0c205cee95f1aab044a729067df80a74050cf6069e65985db09840020b9750cc0c864a0418ba15467dc78f5a1e5010f5
-
Filesize
291KB
MD5916f38644626b7201f29c01bc659525b
SHA1c259bfd1ccbf1347b6a0bac43e7aead100ca7092
SHA2568ba4acc8582041e5caa5dc4c73ade421b52a8b018e70f12b7a1437f74c6a955e
SHA51233539525ec8bf13ee832365994dd6b3bc2162ef64e032baa1ab6e45d701125d08009504c254e85b763b69abd93f10366a4b44e5e62f7705c988c089aea447d19
-
Filesize
11KB
MD54fdf7c8ca48768f459c97b25fdd10d9b
SHA1d1f0ac34a53294875dd7bc03dfbdf5c7ae65a4d0
SHA2566a350094ab9a19b758f6660a58afdecc44e83b3ce8c3521fe3b831d5945a3911
SHA5127322c942946b83ed8cf8875613f72ab5fa5fcb4ca1671bba22bd02404546f8ce099b2941cb0897b3209aecb85b6ac2f1b98f2d11678e5304b55ae3974192042d
-
Filesize
11KB
MD5563bdb2192acf2c106832f696df5d84c
SHA1898eee38d08e09254c39dd0d1707c98f95cb2fa6
SHA2562efcd280779456d767025a4f2915012cb9b11af2b8e199d3f32152232bf09460
SHA512550e3dbaa0a5d74763465318b6f14035e16e1d70602ca36a5636d159875b527fae51f0c7f81e380797b4871283dbddb964017e7a16857228a621284d7aef00f5
-
Filesize
392B
MD53b582f2d3e620cafcdffcd2a1d2daacc
SHA1bb77f2d0a185f626a3e40dc5f0f97cc2e3db37a3
SHA256837cd42ef6827d823bb3ed3270b7d5f72c94495516f0c41cf9e3096b9ba38b94
SHA5125f6a62b6980076e5b09799e42f6d1bfeedb44c468157801bed0b24b15af515562750349fa115a7bbdc26327807cacbe810132d4df0ea46a8276463f8d0b34a35
-
Filesize
392B
MD5a9dc465c7d850ee61709dd9cd567652e
SHA14eb0264d83e0c614c458c86d483aacebd0b596e6
SHA2563e792107d2ad3ba11322a8e00a62cab611b32ad6e989721cda486debc3f44537
SHA512f25069ae6f2e6d052e089edd757c714ff4b7b02746668c18a15bf8a87396bac14802d92da6d71b36c71be4bbf0bdc3e2f9bc4f3f85a3a05fa4d549f5bc8a9a91
-
Filesize
163KB
MD5bd6846ffa7f4cf897b5323e4a5dcd551
SHA1a6596cdc8de199492791faa39ce6096cf39295cd
SHA256854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666
SHA512aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b
-
Filesize
3KB
MD517c10dbe88d84b9309e6d151923ce116
SHA19ad2553c061ddcc07e6f66ce4f9e30290c056bdf
SHA2563ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e
SHA512ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.7.2.1\typosquatting_list.pb
Filesize678KB
MD58aeeb5c136b1deeeee3677f4b93e2575
SHA1c716557d8d504577e2d22bb710e94663b91c80f3
SHA256b8d2c9ee5824a35ef1bcc746200cc710bad4951d4ee16be4acb8a8f503bd4856
SHA512a5b927c20ade622589e09a7443e7fef2ae2b445b22aa773c4bd05c248d48f0bd0e7e2f3595441bd40957c08f29d660f27b7238030c51303d338738e2b1c51b17
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5a4559319fbe22fb4da82a097827de78b
SHA10f3de1829e4992246ca24b30384f2b3c85c6a780
SHA256a5703c4211fe7f7357b398f6cfaae0f492429154e30f6463200b8a4837997612
SHA512dd1e4bcd9c379b7d1f9ba55f26fe266c5836460f99a2eb2437a312fea65360f9936c8e6525f88d31006cbb5b3028b27fcd56ca9a74c2ab6f4f1077fe7d588beb
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1
-
Filesize
504KB
MD58bd0092b3561d926e98e0f8836a744e5
SHA1db75ca62c6bd40b5381a4edc49ff516a8420fc94
SHA256c9dabf1752ab3d0ab1f88cc6aa5cbf37ac95f4f5fee3acc78b7f3d6118492049
SHA512f1f2a102fc6c714256fa9095c063f5d0e40b89397c938bc2bd9b9f3d97a8a5b3773f2050eed9c1e50b4430049ed21f1fd128ff70a13f1ba78a6f7eb3641fbbea
-
Filesize
2.1MB
MD54cd67032e35fa92f5182df10df289906
SHA19210bfc66bd808ffcd7c6443e160dc8d6754c416
SHA256efdad7555293ec2d14399c2c2fc9d07228de1f6e3746b27da621b76fe5ceea07
SHA512f3d83f6e77e4568d2dae539c95acf0a886926a001b4d80f0ea602387530fc333f688ac031b3057e1c2b0375426cf47ae33315f7da9ffaec601102be0bb7221cd
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
5KB
MD523ce7ea2a8100e466e40796a515eea42
SHA11a2f854ce18ea586e50f836be406142c551844e1
SHA256ff21c2dc626491e548332ee554bc3d89786e5b8206e60f9b9c7ffaede25209a4
SHA51213337128807f1aa1d383897d029c466a91caad56ab91d01bc3ff3d270472143567bed883fa16509645735990eff79738f8fe537f01c80b9f04086beeef751182
-
Filesize
820B
MD5c75e5e2cd17c40517d8b3d4096fdd026
SHA100f531b71a93defaad398176949285e8a5e76526
SHA256d6799f211f02819599dad84f43a26b314bcbdb5c5476e77f7e3d33529aec7caf
SHA5123ff0d3c9caf9ebda07761593cfbfe794b0d703f856bffaf5f5d535b9372ce4f7cb8024739a7c22c9386a4838a005d89a5c96fceecd429a706c52e7ddbc69c734
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
16B
MD525065b49c3f9d525e970cb41b2f93535
SHA1d10618df907dc4ee4f35f8299ecc7a0c6878b003
SHA2563afcde5b17c4106483645f1fc164a246a9498fd6af8d48584dafa0be6c466c92
SHA51243ab4329e1468d5002011f6fbe84e08084cc01a0a1db3a1db9386de194ff1fc5829a2c8916ce8026c68629b8bee9fef09956a0abd8121b54ea5aa86b25762c76
-
Filesize
102KB
MD5e02af20e191ff09db3c186066cc1375a
SHA10de9c222ce3568324603b2aec3057bf7ac8b10e8
SHA2565d7ed783f3d533a687877da91f9d6fd8393994206349503d8ccc419de9ed9fe6
SHA512df532d321c70512355e80821fe08570da1363a72ebbeb288ae91dcf3ee50544b1f9d4a1f895b1e1305eedc47ed0c6db9e0625cfbf1202d5d71d3516dd1a3fb45
-
Filesize
24.1MB
MD5002f626331cd40349d57521d33c0acf8
SHA1b93a5732a36f38b9a95ff06ff836e0cad0bd71d2
SHA256c025178c41041e2ffb2ce48170574bd69083487eb292df5f49b25020a153f1a9
SHA512b38cb3c9ce616345613cfcd94c994b22fb964b0fbd00669f56a7d329be386f603095fa2c94b8b7f5f4ee2db657acd3bd9c395fa561a27669a21ed40f9cf36dad
-
\??\Volume{f12d453c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c23533e5-4524-4020-8edc-0951e4dc8e4f}_OnDiskSnapshotProp
Filesize6KB
MD5c594967bb584e766e9628ec76b849838
SHA1c2000cc584dfcf4b84a276bc522e26fe2680a1b5
SHA256a75356722f8fdab8fb49d3b6f89296e1263240f284cb7b87d28fd990fc4897cc
SHA5128e611f791bd9dd857bff3a50b19b1ccaea1af3bd34c602db2fec0f3bc310a8f0ca7b5947a689022f03775745e843bbc0ac1b596bb8be3f5e412d3101cb62b930