Analysis
-
max time kernel
480s -
max time network
479s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250619-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250619-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
04/07/2025, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win10ltsc2021-20250619-en
Behavioral task
behavioral3
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win11-20250610-en
General
-
Target
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
-
Size
161.9MB
-
MD5
f90bad1d98e0b83c6f7ee6de8ef14808
-
SHA1
1d68942f29c9a7dff0bf5bcec0f8a407b79dbc76
-
SHA256
c4b825fcd3b18955157e5ea94fc13baf2512c9b4d69c484d087904fe8fd8a5b7
-
SHA512
3582900b604d74a8a2977a1cbd5cf07a398db3c0af47f1c92d0f109aac40fec5ba29e174b05d7b102684ec5f6d96a27eb20b8f31639c2239ca9bacdaab9506b2
-
SSDEEP
3145728:wujlRWlJTp1m+q+fb3NtFLGlHLyupBLq6hxfOE5M77OXoNiex:wuyJvDhfRf6lH2MDPfOE5M2XoNiex
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" WINSTALL.EXE -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent\ = "Service" CICSafeguardingAgent.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent CICSafeguardingAgent.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 17 3872 MSIEXEC.EXE 19 3872 MSIEXEC.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\D: CICPlugin.exe File opened (read-only) \??\I: CICPlugin.exe File opened (read-only) \??\Q: CICPlugin.exe File opened (read-only) \??\Y: CICPlugin.exe File opened (read-only) \??\O: CICPlugin64.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: CICPlugin.exe File opened (read-only) \??\U: CICPlugin.exe File opened (read-only) \??\A: CICPlugin.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: CICPlugin.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\D: msiexec.exe File opened (read-only) \??\K: CICPlugin.exe File opened (read-only) \??\Z: CICPlugin.exe File opened (read-only) \??\S: CICPlugin64.exe File opened (read-only) \??\V: CICPlugin64.exe File opened (read-only) \??\W: CICPlugin64.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: CICPlugin.exe File opened (read-only) \??\F: CICPlugin.exe File opened (read-only) \??\K: CICPlugin64.exe File opened (read-only) \??\Y: CICPlugin64.exe File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: CICPlugin.exe File opened (read-only) \??\Z: CICPlugin64.exe File opened (read-only) \??\f: CICSafeguardingAgent.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\D: CICPlugin64.exe File opened (read-only) \??\Q: CICPlugin64.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: CICPlugin.exe File opened (read-only) \??\A: CICPlugin64.exe File opened (read-only) \??\H: CICPlugin64.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: CICPlugin64.exe File opened (read-only) \??\N: CICPlugin64.exe File opened (read-only) \??\P: CICPlugin64.exe File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\S: CICPlugin.exe File opened (read-only) \??\L: CICPlugin64.exe File opened (read-only) \??\T: CICPlugin64.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" WINSTALL.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 CICSafeguardingAgent.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache cicStudent.exe File opened for modification C:\Windows\SysWOW64\cicStudent.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\comdlg32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\crypt32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winhttp.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Windows.Storage.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\fastprox.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wintrust.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wuser32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\gpapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemprox.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\audioses.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\powrprof.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\UMPDC.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dwmapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wsock32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wininet.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\MMDevAPI.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content cicStudent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\version.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shlwapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\psapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\netapi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\samcli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemsvc.pdb cicStudent.exe File created C:\Windows\system32\cicclient32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dbgcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dnsapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\setupapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData cicStudent.exe File opened for modification C:\Windows\SysWOW64\wwin32u.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\bcrypt.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wtsapi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\profapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcr100.i386.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\SHFOLDER.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\advapi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\activeds.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\adsldpc.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\comctl32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\oleaut32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winsta.pdb cicStudent.exe File created C:\Windows\SysWOW64\DnaMsg.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\combase.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dhcpcsvc6.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\mpr.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winspool.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shell32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\devobj.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msasn1.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wgdi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb cicStudent.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dhcpcsvc6.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\msctf.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\cicToolbar_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase.enc msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\libcrypto-1_1.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\SHFOLDER.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\ucrtbase.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\ole32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSecurity.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\js\lockpage.js msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wldap32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\netapi32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSilence.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.2 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-timezone-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ShowAppCIC.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\pluginsoftwaremodule_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\openvino_intel_cpu_plugin.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\cic_lock_image_ws.jpg msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32full.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\CLBCatQ.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\msasn1.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.12 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_highgui481.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.12 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\3082\pluginsoftwaremodule_RES.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\SHFOLDER.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\adsldpc.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\crypt32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\pluginsoftwaremodule_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\pcicl32_RES.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\msvcrt.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_sc.enc CICSafeguardingAgent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\DLL\netutils.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\bcryptprimitives.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Kernel.Appcore.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\dnsapi.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgcodecs481.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\winmm.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1038\PluginSoftwareModule64_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.11 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.4 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.13 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-interlocked-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\DLL\dhcpcsvc.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\dwmapi.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2052\pcicl32_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1042\pluginsoftwaremodule_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\images\LS-512-white.png msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\winhttp.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\pluginsoftwaremodule_RES.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\netapi32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\VolumeControlWVI.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1044\PluginSoftwareModule64_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-datetime-l1-1-0.dll msiexec.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID060.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\e57c8ef.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID2C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\setupact.log WINSTALL.EXE File created C:\Windows\Installer\e57c8ed.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID718.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\setuperr.log WINSTALL.EXE File created C:\Windows\Installer\SourceHash{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\CloseHookApp64.exe MsiExec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\Installer\e57c8ed.msi msiexec.exe -
Executes dropped EXE 26 IoCs
pid Process 4956 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 1436 WINSTALL.EXE 4172 winst64.exe 3668 cicStudent.exe 1868 GetUserLang.exe 1940 cicStudent.exe 1536 GetUserLang.exe 2528 winst64.exe 3624 Process not Found 3180 Process not Found 1060 Process not Found 4576 CICSafeguardingAgent.exe 3188 GetUserLang.exe 3400 CICPlugin.exe 1100 CICPlugin64.exe 4504 CICPlugin.exe 4824 CICPlugin64.exe 2108 eSafetyHookAppCIC.exe 3320 ImageAnalyzerApp.exe 1104 cichooksApp64.exe 2504 HookAppCIC64.exe 2924 Process not Found 3772 Process not Found 3900 StoreInvCIC.exe 4116 CICToolbar.exe 3308 cicStudent.exe -
Loads dropped DLL 64 IoCs
pid Process 1396 MsiExec.exe 1396 MsiExec.exe 1396 MsiExec.exe 3848 MsiExec.exe 736 MsiExec.exe 1436 WINSTALL.EXE 4172 winst64.exe 1436 WINSTALL.EXE 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 1868 GetUserLang.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 3668 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1536 GetUserLang.exe 1940 cicStudent.exe 1940 cicStudent.exe 2528 winst64.exe 1940 cicStudent.exe 1940 cicStudent.exe 1396 MsiExec.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 3188 GetUserLang.exe 1100 CICPlugin64.exe 4824 CICPlugin64.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 3400 CICPlugin.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 3400 CICPlugin.exe 4576 CICSafeguardingAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StoreInvCIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINSTALL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICToolbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eSafetyHookAppCIC.exe -
Checks SCSI registry key(s) 3 TTPs 29 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3b6137e5dc88f80000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff0000000027010100008838011d3b61370000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e841011d3b6137000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea711d3b613700000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d3b613700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CICSafeguardingAgent.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz CICSafeguardingAgent.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1700736726-3374942736-1745806820-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" cicStudent.exe Set value (str) \REGISTRY\USER\S-1-5-21-1700736726-3374942736-1745806820-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL" cicStudent.exe Set value (str) \REGISTRY\USER\S-1-5-21-1700736726-3374942736-1745806820-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMEM" cicStudent.exe -
Modifies data under HKEY_USERS 36 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-19 = "Ultimate Performance" cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" cicStudent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe\VBScriptSetScriptStateStarted = "240645484" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cicStudent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached CICSafeguardingAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" cicStudent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "210" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@Winlangdb.dll,-1121 = "English (United States)" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cicStudent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cicStudent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d66b3cfc07eddb01 CICSafeguardingAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E CICSafeguardingAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" CICSafeguardingAgent.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498} winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Arabic = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Chinese = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ThreadingModel = "Apartment" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\InstalledBySetup = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Polish = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Version = "33554434" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\German = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Italian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Japanese = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\LatinAmerican = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\PackageName = "classroom.cloud Student.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Hungarian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductName = "classroom.cloud Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media\1 = "DISK1;1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\ = "cicClient32Provider" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Image_Analyzer = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Dutch = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Downloaded Installations\\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.rpf msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Bulgarian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Portuguese = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Serbian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Swedish = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductIcon = "C:\\Windows\\Installer\\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\\ARPPRODUCTICON.exe" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 1940 cicStudent.exe 4576 CICSafeguardingAgent.exe 1940 cicStudent.exe 1940 cicStudent.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1396 MsiExec.exe 1396 MsiExec.exe 4028 msiexec.exe 4028 msiexec.exe 736 MsiExec.exe 736 MsiExec.exe 1436 WINSTALL.EXE 1436 WINSTALL.EXE 1436 WINSTALL.EXE 1436 WINSTALL.EXE 1436 WINSTALL.EXE 1436 WINSTALL.EXE 3668 cicStudent.exe 3668 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1100 CICPlugin64.exe 1100 CICPlugin64.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3400 CICPlugin.exe 4576 CICSafeguardingAgent.exe 1100 CICPlugin64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3872 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3872 MSIEXEC.EXE Token: SeSecurityPrivilege 4028 msiexec.exe Token: SeCreateTokenPrivilege 3872 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3872 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3872 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3872 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3872 MSIEXEC.EXE Token: SeTcbPrivilege 3872 MSIEXEC.EXE Token: SeSecurityPrivilege 3872 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3872 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3872 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3872 MSIEXEC.EXE Token: SeSystemtimePrivilege 3872 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3872 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3872 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3872 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3872 MSIEXEC.EXE Token: SeBackupPrivilege 3872 MSIEXEC.EXE Token: SeRestorePrivilege 3872 MSIEXEC.EXE Token: SeShutdownPrivilege 3872 MSIEXEC.EXE Token: SeDebugPrivilege 3872 MSIEXEC.EXE Token: SeAuditPrivilege 3872 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3872 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3872 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3872 MSIEXEC.EXE Token: SeUndockPrivilege 3872 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3872 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3872 MSIEXEC.EXE Token: SeManageVolumePrivilege 3872 MSIEXEC.EXE Token: SeImpersonatePrivilege 3872 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3872 MSIEXEC.EXE Token: SeCreateTokenPrivilege 3872 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3872 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3872 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3872 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3872 MSIEXEC.EXE Token: SeTcbPrivilege 3872 MSIEXEC.EXE Token: SeSecurityPrivilege 3872 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3872 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3872 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3872 MSIEXEC.EXE Token: SeSystemtimePrivilege 3872 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3872 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3872 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3872 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3872 MSIEXEC.EXE Token: SeBackupPrivilege 3872 MSIEXEC.EXE Token: SeRestorePrivilege 3872 MSIEXEC.EXE Token: SeShutdownPrivilege 3872 MSIEXEC.EXE Token: SeDebugPrivilege 3872 MSIEXEC.EXE Token: SeAuditPrivilege 3872 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3872 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3872 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3872 MSIEXEC.EXE Token: SeUndockPrivilege 3872 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3872 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3872 MSIEXEC.EXE Token: SeManageVolumePrivilege 3872 MSIEXEC.EXE Token: SeImpersonatePrivilege 3872 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3872 MSIEXEC.EXE Token: SeCreateTokenPrivilege 3872 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3872 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3872 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3872 MSIEXEC.EXE 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 4116 CICToolbar.exe 4116 CICToolbar.exe 4116 CICToolbar.exe 4116 CICToolbar.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 4116 CICToolbar.exe 3872 MSIEXEC.EXE 3872 MSIEXEC.EXE 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 4116 CICToolbar.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 2528 winst64.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 3400 CICPlugin.exe 1100 CICPlugin64.exe 4576 CICSafeguardingAgent.exe 2108 eSafetyHookAppCIC.exe 1104 cichooksApp64.exe 2504 HookAppCIC64.exe 2504 HookAppCIC64.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 4576 CICSafeguardingAgent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 1940 cicStudent.exe 2200 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4388 wrote to memory of 4956 4388 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 82 PID 4388 wrote to memory of 4956 4388 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 82 PID 4388 wrote to memory of 4956 4388 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 82 PID 4956 wrote to memory of 3872 4956 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 88 PID 4956 wrote to memory of 3872 4956 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 88 PID 4956 wrote to memory of 3872 4956 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 88 PID 4028 wrote to memory of 1396 4028 msiexec.exe 91 PID 4028 wrote to memory of 1396 4028 msiexec.exe 91 PID 4028 wrote to memory of 1396 4028 msiexec.exe 91 PID 4028 wrote to memory of 520 4028 msiexec.exe 97 PID 4028 wrote to memory of 520 4028 msiexec.exe 97 PID 4028 wrote to memory of 3848 4028 msiexec.exe 100 PID 4028 wrote to memory of 3848 4028 msiexec.exe 100 PID 4028 wrote to memory of 3848 4028 msiexec.exe 100 PID 4028 wrote to memory of 736 4028 msiexec.exe 101 PID 4028 wrote to memory of 736 4028 msiexec.exe 101 PID 4028 wrote to memory of 736 4028 msiexec.exe 101 PID 4028 wrote to memory of 1436 4028 msiexec.exe 102 PID 4028 wrote to memory of 1436 4028 msiexec.exe 102 PID 4028 wrote to memory of 1436 4028 msiexec.exe 102 PID 1436 wrote to memory of 4172 1436 WINSTALL.EXE 103 PID 1436 wrote to memory of 4172 1436 WINSTALL.EXE 103 PID 3668 wrote to memory of 1868 3668 cicStudent.exe 105 PID 3668 wrote to memory of 1868 3668 cicStudent.exe 105 PID 3668 wrote to memory of 1868 3668 cicStudent.exe 105 PID 3668 wrote to memory of 1940 3668 cicStudent.exe 106 PID 3668 wrote to memory of 1940 3668 cicStudent.exe 106 PID 3668 wrote to memory of 1940 3668 cicStudent.exe 106 PID 1940 wrote to memory of 1536 1940 cicStudent.exe 107 PID 1940 wrote to memory of 1536 1940 cicStudent.exe 107 PID 1940 wrote to memory of 1536 1940 cicStudent.exe 107 PID 1940 wrote to memory of 2528 1940 cicStudent.exe 108 PID 1940 wrote to memory of 2528 1940 cicStudent.exe 108 PID 1940 wrote to memory of 4576 1940 cicStudent.exe 109 PID 1940 wrote to memory of 4576 1940 cicStudent.exe 109 PID 1940 wrote to memory of 4576 1940 cicStudent.exe 109 PID 1940 wrote to memory of 3188 1940 cicStudent.exe 110 PID 1940 wrote to memory of 3188 1940 cicStudent.exe 110 PID 1940 wrote to memory of 3188 1940 cicStudent.exe 110 PID 1940 wrote to memory of 3400 1940 cicStudent.exe 111 PID 1940 wrote to memory of 3400 1940 cicStudent.exe 111 PID 1940 wrote to memory of 3400 1940 cicStudent.exe 111 PID 1940 wrote to memory of 1100 1940 cicStudent.exe 112 PID 1940 wrote to memory of 1100 1940 cicStudent.exe 112 PID 1940 wrote to memory of 4504 1940 cicStudent.exe 113 PID 1940 wrote to memory of 4504 1940 cicStudent.exe 113 PID 1940 wrote to memory of 4504 1940 cicStudent.exe 113 PID 1940 wrote to memory of 4824 1940 cicStudent.exe 114 PID 1940 wrote to memory of 4824 1940 cicStudent.exe 114 PID 4576 wrote to memory of 2108 4576 CICSafeguardingAgent.exe 115 PID 4576 wrote to memory of 2108 4576 CICSafeguardingAgent.exe 115 PID 4576 wrote to memory of 2108 4576 CICSafeguardingAgent.exe 115 PID 4576 wrote to memory of 3320 4576 CICSafeguardingAgent.exe 116 PID 4576 wrote to memory of 3320 4576 CICSafeguardingAgent.exe 116 PID 2108 wrote to memory of 1104 2108 eSafetyHookAppCIC.exe 117 PID 2108 wrote to memory of 1104 2108 eSafetyHookAppCIC.exe 117 PID 4576 wrote to memory of 2504 4576 CICSafeguardingAgent.exe 118 PID 4576 wrote to memory of 2504 4576 CICSafeguardingAgent.exe 118 PID 4576 wrote to memory of 3900 4576 CICSafeguardingAgent.exe 121 PID 4576 wrote to memory of 3900 4576 CICSafeguardingAgent.exe 121 PID 4576 wrote to memory of 3900 4576 CICSafeguardingAgent.exe 121 PID 1940 wrote to memory of 4116 1940 cicStudent.exe 123 PID 1940 wrote to memory of 4116 1940 cicStudent.exe 123 PID 1940 wrote to memory of 4116 1940 cicStudent.exe 123 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cicStudent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1" cicStudent.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exeC:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe /q"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\ProgramData\Downloaded Installations\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\classroom.cloud Student.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3872
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵PID:4828
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7932AFB00AC3723B905D7B8DB55D15DE C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1396
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:520
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 122CD0051161772AEA84E7F4F7F8D03C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3848
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 82DD52CFD756EB0DDEBA34C2BE4111E0 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:736
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE"C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *2⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exewinst64.exe /q /q /i3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4172
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:1012
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3668 -
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EB90200,13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe" /LocalServer /Inventory=1 /Safeguarding=1 /SGroup=0 /DeviceGroup=6 /AupRulesEnabled=1 /EnhancedSafeguarding=13⤵
- Impair Defenses: Safe Mode Boot
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe" 2108 532 Local\CIC_ESAFETY_IPC_KDB5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"4⤵
- Executes dropped EXE
PID:3320
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\\StoreInvCIC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3900
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3188
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3400
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4504
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4824
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe" /utf83⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4116
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3308
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a3a855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2200
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD53d96f369851957eb96e42c2380900c8c
SHA19cba45ba9756609029eb42f19d6f36432ea28d08
SHA2565e81c2fd50b7137b6518da541acf26bfd7fcd7543cd18560dd5c21f8feb9bf66
SHA512dec2f593436ed404019532a3e748d0b545bb909b1709b0ba8e53bd32bbc4dc3e6dbb214934f0c86974281e23f947a8d2566cda514f185a8a55fb9f9ac1fbace9
-
Filesize
303KB
MD5233d6c47b7c38c84c6795c3fe173525e
SHA102b87df7cff7f9b484f55c4e451bbd49d4f402ce
SHA2569d6bd498a54d006a3d41499b8442df15d4e8ef5083cda4ed4620014ce057989c
SHA512023a184f978ddbf8be714ae1437bc1da59fdc5cfac0e1ed13befbb09004951312a8fa7d30fad66e6641ec3b0ce0568c2899f1343e4f6da9ae23d4975c82063f5
-
Filesize
33KB
MD5231413407e88a179ea9a7889305bdc8d
SHA1d6031475fb06cc401352be605a4ef70c89a0c774
SHA2569a70110c7d0d1366c21e5acc69498cc67c87aef96ae67c7fb37314243a23a5a7
SHA51212cc1f4acec4159a86b76a08661ed8ce583b24ecc1a7da734e52a1416a02a330937cb1eae6b098fc8d7b69b89a651c54146de4185e6d8db4cb9790c66f658725
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
31KB
MD5c82ffe193bfb7a4e37d84c6f69128054
SHA1b3429dc37d021432e5d47e0a2eb087268e8d1e6c
SHA256ef64a39c59562b1a731563b7c688fae45c3e8f355d402c7ebc80f19aea09f9ef
SHA512aa3bc90c072c8d9da93e55d026459930338cc083491e3c42782adc4c06cd25f16136369c63ea3252cadee5ec62e3e3b8f06b1bbaa82a8f6838d6be3e36ed7b18
-
Filesize
7.3MB
MD56fa0e22d7e5d4ee737878290035a0267
SHA15099b37c049fa3a91a63611535429fd18adb5c2a
SHA25679bc3ed1a07c0119719b7875865162293df573c540edbce7c08e47325c362dcd
SHA512ab5b2d0d5b862c2b9cca9e9a1e3590281b5cf94fe69ca322e335e8d59d85efebcd098c115c5a4ecf1aff6dc0acdcddc6b68ba62d4144eac3044e0df4f4f1a39e
-
Filesize
1.2MB
MD53cb1b4875e0115df4acf16f2d9afc195
SHA11c869c11c8113b39e7291df1bc4283d6062be810
SHA25697b0de6aff804f5634b7453b6b27ee5a2d78ab2781c9cbf59a45b8a2f6e783d3
SHA51286ec315a960ad0223d35b569927df60939109ad4d9d1f20fa990e493fb3c25a2240196a9c852ecfd4967d01d4bd39f9f6e07dace2e70a50975fde8ee1c05e2aa
-
Filesize
227KB
MD5f9b4a682ca1fc4d2ea21634a034edae7
SHA128532ff051fe208d1d75e3bf413cc55a65d128a4
SHA256c1959663aa2fd4614553bf14bd0805455b8140e8c271b9aea01fc00339ed63c1
SHA5123067c7a0ea71873f68ad7b830283d3a4de5e6db161c2701c1b1f80eb6b747bb511cd748a9360127afcf01e87bbd8c39862fbb8b2ddaccf403a79c2b382d850e3
-
Filesize
2B
MD5c4103f122d27677c9db144cae1394a66
SHA11489f923c4dca729178b3e3233458550d8dddf29
SHA25696a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA5125ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54
-
Filesize
743KB
MD5c6b9f3f79923b253424465b4055bdb28
SHA13744a1f6b0e9222ed6850d021016eca0b10bc519
SHA256ec764c26475e1c9620b642c8807142bfdb72e85e1e8bdc87cdfb0e43f90a3b62
SHA512ecb7738dcef64b3b62a708565c08a8302629a47fdd26f8630ba6359ba413e93b2c96719cdf9c8c5845d1f0d61a69a34dab84431fe6d93a249ab982d7348e57d1
-
Filesize
1.4MB
MD5f9cf2db8b99dc50eab538c4d860ac1a4
SHA1b261c9e7f082eb8649afab9a677e022f84fd2823
SHA256865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
SHA51259660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d
-
Filesize
33KB
MD5ffa0bb22a09efde0dc53cee4ad7761ce
SHA19213940d26e0d98afcd33ac3d3e021f3b99f50a6
SHA25670d8dc0d4f6c2c88bef7f8a18da833ae9c99d6da8a3b253f12fbfb91eb75b7f3
SHA512a2853aff65a297254188a2ed64ca9e1d81daaf037fd48a9d97764d1e8e90e294ace33fb4ee1151fce086299b5ced04854758f7fd6f16b5ebc25d64ea6f399f34
-
Filesize
102KB
MD5e02af20e191ff09db3c186066cc1375a
SHA10de9c222ce3568324603b2aec3057bf7ac8b10e8
SHA2565d7ed783f3d533a687877da91f9d6fd8393994206349503d8ccc419de9ed9fe6
SHA512df532d321c70512355e80821fe08570da1363a72ebbeb288ae91dcf3ee50544b1f9d4a1f895b1e1305eedc47ed0c6db9e0625cfbf1202d5d71d3516dd1a3fb45
-
Filesize
238KB
MD5092b95b9308e2827a3b1598add0e306d
SHA110321c34bbe5982c3005188afa94d1ce73964f2e
SHA256a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f
SHA51220464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf
-
Filesize
842KB
MD598a75771d452d5d5fafb9bdc091c512d
SHA167a0e43a56a15082453a9d4940e832155a3057c4
SHA256fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72
SHA5129dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39
-
Filesize
609KB
MD51e1e60709ef9fd6dfb0a9d67d8b5d84d
SHA146cee6b4299eea89b05d080ffe39926dd51d1e1c
SHA256ef4c6b6b3c767c9e2aa7849982fe78ab60776707752108c657fe2296f803225c
SHA5129b032ac9f55073a424114a22e0716a7e64ffbe9898adae223540a14a6dee8a118eadc646f0eca33e5cac0b72105e84d69fb99703b1c58c803ba173a2581ca9d2
-
Filesize
429KB
MD51d8c79f293ca86e8857149fb4efe4452
SHA17474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA51283c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1
-
Filesize
2KB
MD5344e5f94494802ff38fa02cec9ab8e02
SHA1fb16f5357725ac40a00a608be0bc522c2b0544ea
SHA256f6f1c23bf836f7773de21292e6aebd86568993f995c0cb799a63151a67e05f12
SHA5120cb6e4ac146f4352249ecf29cfe7eb3c3105342fdfda8e6ca9e23abbf1cba179fa3a9f62b992ac700c65d6234a1679d3790f40ae948cc5e5b01443755a36f5b5
-
Filesize
39KB
MD535c66ae99109a44804f5ea8032d1377d
SHA16f769b861db4595d15733372fd4932dc226b72af
SHA256f1b455de2ec03091d0ed0d27c7e8428931208d9b3fcfc91b13b1a3eb55235064
SHA51255ce58e56a9dd1de898940bbcc79b120f1df87eb39a1b5882134478bc7f7cfa7ea3fe2038bdd573fa6a2930594f53310e8c3f02f6d32ad14af985d89174f82a5
-
Filesize
48KB
MD5bd5def2b91eaf52eba3a33eeb67cee48
SHA16cc6d4b8379cf2a59a770110d17b1f5a531a4a05
SHA2566ebc2f4a6962793da3d7cffcda8f0246be8c9eebff3591d021279b482c08926b
SHA5126f203908aa2002282cd66eb52d2a1473248afb92ae419d0d04352604c580f34308f485f9283a5b83aeb7742c2e9cdce6e3354935f226667cd5c2ba266430e975
-
Filesize
54KB
MD50880c1c48690981c8d06831956ebf69a
SHA1f112137e17e5e5c69567c431f993c338b6fc3422
SHA256dbf281d1a065ea5e3162f01b658910a39f70f24523d9d6e0ea11535055120d63
SHA51297805f65041d2fc8e2f49795cd2a9a9216dee43463112a7576e78bfb595e7b74da7121652e8bf6a8c04fbfde4c7671c4810b748b693a523d285d307eeeaaaaa6
-
Filesize
397B
MD51776504eea61cb14d645e4ecf7f66fed
SHA15902f0fa83a830bfc9d1befa3583330354389a26
SHA256ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed
SHA512e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710
-
Filesize
1KB
MD53cdcf8f9b05de85c7e7008e7f4a70123
SHA14f2c894e8c86200efcb93ad0ebd85296d48f360c
SHA25627f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e
SHA51293f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6
-
Filesize
45KB
MD5e82daaf3a38c76f3e1cd3378cdafbd64
SHA1dfbf9cee2aeac45881bcf764946f54ddc5014df5
SHA256c1c03df6cb83b1016ff3f470513f7179c8ff0d7ac7a70f7efbdee13e3dfecb1b
SHA5122ea546a44eeefbf90aada2275b53dcef14ee7eef193451f669fa7bfc9af0dfba0ba042cbc95e1557b51b22b2a26dec9ffd1daa5dbf17238c6c6852adf71ba9b7
-
Filesize
81KB
MD58e65e033799eb9fd46bc5c184e7d1b85
SHA1e1cc5313be1f7df4c43697f8f701305585fe4e71
SHA256be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4
SHA512e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd
-
Filesize
335KB
MD5183a205187acb2b5313800eb7200654f
SHA13f71e3722409a256ea8aba277e9b459906abedab
SHA2565cd1f3b175ff2a492fe581ad80f83affac3b6bf17602a06f4c5f2368373a5774
SHA51239b0ac5723df4fb480d2af1b4ffdbdc52ba3d5e6f78d8d33b954c36f3f69954645625278116a24691f5ef2b4ef0ee08e39c592175f503938fb4f5418c2d6f53d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2
Filesize1KB
MD53de57e3ccdd9b8db1f0e7c725bf2aa7d
SHA18fb59a6f70ae52073ac80d8ca234228aac77343c
SHA2562ad53da1ca034894ed0a55571c739ed8750a35aa51b99f235e90f65157cb21ca
SHA512920abb22be2f3fc0feab8d22361cb07c9bc0d3c4e87e9a8025bc95ad207d1783d80007fb884a9861be81a93c9936e23972b49f19d715861b9b669356ceed3eac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5fd8a20ae034c688d34c65d0899328dd0
SHA1d8d1418441e290da13c08a0a53842995c3431779
SHA256c31307defd1c468c6351e78fdf977f2bad54d495645596af99834d55f596cbb0
SHA512707110747b13354c6fa82d82534cab8b3b0dc3b06b94494a4ad576b5d28960f00e3aeadd6ac07b99a0e9dda0765ee08e2d6b6b5b2cb13deaae48043b506f1e7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Filesize1KB
MD5e4b82021432532761b974e337ed0e76d
SHA1eafe08bf9c38219e7c31f3e4de10eb378cd6a85c
SHA25638a941ac9c4ecda3d20b0823e81f2521f8f61838f7d60b69998877c7fc95a493
SHA512430707c940340ffba8ced7ecdee071d1a9b8d54437df37f6878061c6eaff06bfb44f04435e37b6f8f238e9aabb3c3e72e4b63f83cb51033ce5db452c78f75eee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2
Filesize540B
MD58d17f554caef2083c370999dace88bb5
SHA16ffe3fe1782d4b41f6d88f798095a67a86922214
SHA256f98cca4beae1f5d60647686f217c0c7ce347ea57e5eb25af8d6f94238f899a87
SHA512528653c2d68f74d2234a2dad42e0e4966f2b2575d4a697acaadfad8e6bc031d6d8812843b595e85fe3c97bcef0766fdf0c26a2c46fa90f47c585bc4bbca12e83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD5a72694b6b6fa5330b3a5602b3e62e022
SHA15754a82861e683dd6b02cf73f2c521a88d981c44
SHA2563bce19fd45ae94b35dccbdd9e980a27fa531d580fde1871672b46f4e0b9ed9a8
SHA512e36ba184f4bb364cc2660e27c417c64117aa59e57b9662f52f9ac43aa19f47efcdeddb280b8a2a0a4566efbb40464bd62783a175eb5ebc2573f765786e0b5ec1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Filesize508B
MD56f1bd38b8f716041a4ecf35694159784
SHA1215a51c1397885d3863c30d05b8a0bc3c43b20a6
SHA256ec3b8289fdbfd30db837bb497e2f61a84dbf644f809447f772996479ad6130cd
SHA512bcdbcf639de25df156878a97d39f7d1923c84189d1bd3fb36671c0f8eb42f0bfc20590031e3d8b79c4d096e417d19d607cd543d86226a29e20a5122188e53478
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1
-
Filesize
504KB
MD58bd0092b3561d926e98e0f8836a744e5
SHA1db75ca62c6bd40b5381a4edc49ff516a8420fc94
SHA256c9dabf1752ab3d0ab1f88cc6aa5cbf37ac95f4f5fee3acc78b7f3d6118492049
SHA512f1f2a102fc6c714256fa9095c063f5d0e40b89397c938bc2bd9b9f3d97a8a5b3773f2050eed9c1e50b4430049ed21f1fd128ff70a13f1ba78a6f7eb3641fbbea
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
5KB
MD523ce7ea2a8100e466e40796a515eea42
SHA11a2f854ce18ea586e50f836be406142c551844e1
SHA256ff21c2dc626491e548332ee554bc3d89786e5b8206e60f9b9c7ffaede25209a4
SHA51213337128807f1aa1d383897d029c466a91caad56ab91d01bc3ff3d270472143567bed883fa16509645735990eff79738f8fe537f01c80b9f04086beeef751182
-
Filesize
820B
MD510c7df4b47e999502fe470c0d232aec9
SHA19af8d8e8e2795b0a5a952b24188db97335b48c46
SHA256af8515c6b7a1f124819cac6c023681a427275e2e50cd48506ab2178f57292111
SHA512cee8e5a812e4d1400f7d944e7d0e9dbe2fcbe667201af0571c8172c83195f1b77383fe747e59163168123c8f9a3f254fb379ec9c8154c36b2eb39cee6e807480
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
24.0MB
MD5ee6c0e1f833583c8dd221a21ee4b457e
SHA1d16789d0d515d46866b0306adc8349f312f63f3e
SHA2566b7726226a6143b2ad9b88a311d7865c9c19dbbec7086f834f838e9065a95cbc
SHA512ac0225700a2894ff8d152edd406f093912a58b4ca46193cd25d93379149a0e6933cbf9052bfa77195cb9f518b6d644589c6de475471343c2169cdd274e9a648b
-
\??\Volume{37613b1d-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{cf792ee8-bffe-4496-ab93-31867c3039c7}_OnDiskSnapshotProp
Filesize6KB
MD56a995171d8cd71c8c77c37d99e747982
SHA1f470d449e015697894deb07b7ba46eb9b4c78352
SHA2562fc52e54fabcf8d217f44c1f632e3c7d2f2ab46f01dd3a8d1c1ca038caeb2114
SHA51265119a8de9d4655c60e5f4b09af1951228318d17e7a87dff126a0a093677804444a793999e693da812d73a38a0b819bf0fa003c397c03bbff1d71bdb545304d3