Analysis
-
max time kernel
486s -
max time network
467s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 17:18
Static task
static1
Behavioral task
behavioral1
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win10ltsc2021-20250619-en
Behavioral task
behavioral3
Sample
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
Resource
win11-20250610-en
General
-
Target
classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
-
Size
161.9MB
-
MD5
f90bad1d98e0b83c6f7ee6de8ef14808
-
SHA1
1d68942f29c9a7dff0bf5bcec0f8a407b79dbc76
-
SHA256
c4b825fcd3b18955157e5ea94fc13baf2512c9b4d69c484d087904fe8fd8a5b7
-
SHA512
3582900b604d74a8a2977a1cbd5cf07a398db3c0af47f1c92d0f109aac40fec5ba29e174b05d7b102684ec5f6d96a27eb20b8f31639c2239ca9bacdaab9506b2
-
SSDEEP
3145728:wujlRWlJTp1m+q+fb3NtFLGlHLyupBLq6hxfOE5M77OXoNiex:wuyJvDhfRf6lH2MDPfOE5M2XoNiex
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" WINSTALL.EXE -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent CICSafeguardingAgent.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent\ = "Service" CICSafeguardingAgent.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 3204 MSIEXEC.EXE 3 3204 MSIEXEC.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: CICPlugin.exe File opened (read-only) \??\T: CICPlugin.exe File opened (read-only) \??\Y: CICPlugin.exe File opened (read-only) \??\L: CICPlugin64.exe File opened (read-only) \??\U: CICPlugin64.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: CICPlugin.exe File opened (read-only) \??\I: CICPlugin64.exe File opened (read-only) \??\X: CICPlugin.exe File opened (read-only) \??\N: CICPlugin64.exe File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\E: CICPlugin.exe File opened (read-only) \??\R: CICPlugin.exe File opened (read-only) \??\S: CICPlugin.exe File opened (read-only) \??\V: CICPlugin.exe File opened (read-only) \??\Z: CICPlugin.exe File opened (read-only) \??\J: CICPlugin64.exe File opened (read-only) \??\T: CICPlugin64.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: CICPlugin.exe File opened (read-only) \??\J: CICPlugin.exe File opened (read-only) \??\Z: CICPlugin64.exe File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: CICPlugin.exe File opened (read-only) \??\G: CICPlugin64.exe File opened (read-only) \??\K: CICPlugin64.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: CICPlugin.exe File opened (read-only) \??\M: CICPlugin.exe File opened (read-only) \??\P: CICPlugin.exe File opened (read-only) \??\F: CICPlugin.exe File opened (read-only) \??\B: CICPlugin64.exe File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\f: CICSafeguardingAgent.exe File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: CICPlugin.exe File opened (read-only) \??\O: CICPlugin.exe File opened (read-only) \??\W: CICPlugin.exe File opened (read-only) \??\H: CICPlugin64.exe File opened (read-only) \??\Q: CICPlugin64.exe File opened (read-only) \??\R: CICPlugin64.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: CICPlugin.exe File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" WINSTALL.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 CICSafeguardingAgent.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wgdi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shlwapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\srvcli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\devobj.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\pcimsg.dll WINSTALL.EXE File opened for modification C:\Windows\SysWOW64\wuser32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\psapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winsta.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\fastprox.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wininet.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 cicStudent.exe File opened for modification C:\Windows\SysWOW64\advapi32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\mpr.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\version.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\ole32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\comdlg32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\oleaut32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wldap32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\bcryptprimitives.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\profapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dnsapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\MMDevAPI.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 cicStudent.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winspool.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\activeds.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\adsldpc.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemprox.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemsvc.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wwin32u.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\netutils.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Amsi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dhcpcsvc.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wintrust.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dwmapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\winhttp.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wsspicli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\gpapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\nsi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\setupapi.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\WinTypes.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wbemcomn.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\ws2_32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\wkscli.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dbgcore.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb cicStudent.exe File created C:\Windows\system32\cicclient32provider.dll winst64.exe File opened for modification C:\Windows\system32\cicclient32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content cicStudent.exe File opened for modification C:\Windows\SysWOW64\wsock32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\shell32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\crypt32.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\dhcpcsvc6.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\userenv.pdb cicStudent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache cicStudent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb cicStudent.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.13 msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\PciHooksApp64.exe msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\winhttp.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_we.enc CICSafeguardingAgent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\ws2_32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\ole32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dnsapi.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc CICSafeguardingAgent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1043\pluginsoftwaremodule_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\msvcrt.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wrpcrt4.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\shell32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\pcicl32_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\libeay32.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1035\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\crypt32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wininet.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\boost_system-vc140-mt-x32-1_67.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\profapi.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_core481.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\PluginSoftwareModule64_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSilence.exe msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\Amsi.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\IAViSScreenshot.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\pluginsoftwaremodule_RES.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\secur32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ur.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgproc481.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\ucrtbase.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wsock32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\Kernel.Appcore.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_ur.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\pluginsoftwaremodule.DLL msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\secur32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\crypt32.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\openvino.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1041\pcicl32_RES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1042\PluginSoftwareModule64_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\netapi32.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wbemsvc.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\defuser.jpg msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\msvcrt.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dbghelp.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_zh.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\PluginSoftwareModule64_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\pcicl32_RES.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\winsta.pdb cicStudent.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\profapi.pdb cicStudent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-synch-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\js\lockpage.js msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\CICAppHook64.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\ManageADAccount.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1046\ManageADAccount_res.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Phrase_ar.enc CICSafeguardingAgent.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\ManageADAccount_res.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\pcichek.pdb cicStudent.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSID68B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID89F.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2 msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\e57c841.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\SystemTemp\~DF7B2B82C7180B1873.TMP msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\SystemTemp\~DFC6D6E80C0FB307E8.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E} msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File created C:\Windows\SystemTemp\~DF08FD784C0875426E.TMP msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\CloseHookApp64.exe MsiExec.exe File opened for modification C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\SystemTemp\~DF649529251FDF2755.TMP msiexec.exe File opened for modification C:\Windows\Installer\e57c841.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\setuperr.log WINSTALL.EXE File created C:\Windows\Installer\e57c843.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID561.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F msiexec.exe File opened for modification C:\Windows\setupact.log WINSTALL.EXE -
Executes dropped EXE 23 IoCs
pid Process 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 4176 WINSTALL.EXE 3028 winst64.exe 5056 cicStudent.exe 4564 GetUserLang.exe 6044 cicStudent.exe 3776 GetUserLang.exe 2280 winst64.exe 3276 Process not Found 436 Process not Found 1200 CICSafeguardingAgent.exe 4640 GetUserLang.exe 2496 CICPlugin.exe 2028 CICPlugin64.exe 3404 CICPlugin.exe 4268 CICPlugin64.exe 3652 eSafetyHookAppCIC.exe 1892 ImageAnalyzerApp.exe 1044 cichooksApp64.exe 5836 HookAppCIC64.exe 2632 Process not Found 3504 Process not Found 1576 StoreInvCIC.exe -
Loads dropped DLL 64 IoCs
pid Process 4844 MsiExec.exe 4844 MsiExec.exe 4844 MsiExec.exe 4952 MsiExec.exe 5468 MsiExec.exe 4176 WINSTALL.EXE 3028 winst64.exe 4176 WINSTALL.EXE 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 4564 GetUserLang.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 5056 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 3776 GetUserLang.exe 6044 cicStudent.exe 6044 cicStudent.exe 2280 winst64.exe 6044 cicStudent.exe 6044 cicStudent.exe 4844 MsiExec.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 4640 GetUserLang.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 2028 CICPlugin64.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cicStudent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICPlugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eSafetyHookAppCIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINSTALL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetUserLang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StoreInvCIC.exe -
Checks SCSI registry key(s) 3 TTPs 29 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 CICSafeguardingAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 CICSafeguardingAgent.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000edf05ee38d848e8a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000edf05ee30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900edf05ee3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dedf05ee3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000edf05ee300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 CICSafeguardingAgent.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CICSafeguardingAgent.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz CICSafeguardingAgent.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" cicStudent.exe Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL" cicStudent.exe -
Modifies data under HKEY_USERS 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cicStudent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt CICSafeguardingAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" cicStudent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs cicStudent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" CICSafeguardingAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000194595f907eddb01 CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico CICSafeguardingAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" cicStudent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E CICSafeguardingAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached CICSafeguardingAgent.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\DefaultIcon\ = "C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\PCIVideo.exe,1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\NSS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\French = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Image_Analyzer = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\LatinAmerican = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Turkish = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498} winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Polish = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Finnish = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Serbian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\PackageCode = "FA06C577E0F97EF43BC0780831A779F7" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ThreadingModel = "Apartment" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Common = "NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Hungarian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Korean = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\AuthorizedLUAApp = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Arabic = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Chinese = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Italian = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Portuguese = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net\1 = "C:\\ProgramData\\Downloaded Installations\\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with classroom.cloud Student" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32 winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Czech = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media\1 = "DISK1;1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Bulgarian = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command WINSTALL.EXE Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Norwegian = "Student" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\MexicanSpanish = "Student" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Russian = "Student" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\InstanceType = "0" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 6044 cicStudent.exe 1200 CICSafeguardingAgent.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4844 MsiExec.exe 4844 MsiExec.exe 4776 msiexec.exe 4776 msiexec.exe 5468 MsiExec.exe 5468 MsiExec.exe 4176 WINSTALL.EXE 4176 WINSTALL.EXE 4176 WINSTALL.EXE 4176 WINSTALL.EXE 4176 WINSTALL.EXE 4176 WINSTALL.EXE 5056 cicStudent.exe 5056 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 2028 CICPlugin64.exe 2028 CICPlugin64.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2496 CICPlugin.exe 1200 CICSafeguardingAgent.exe 2028 CICPlugin64.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3204 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3204 MSIEXEC.EXE Token: SeSecurityPrivilege 4776 msiexec.exe Token: SeCreateTokenPrivilege 3204 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3204 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3204 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3204 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3204 MSIEXEC.EXE Token: SeTcbPrivilege 3204 MSIEXEC.EXE Token: SeSecurityPrivilege 3204 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3204 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3204 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3204 MSIEXEC.EXE Token: SeSystemtimePrivilege 3204 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3204 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3204 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3204 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3204 MSIEXEC.EXE Token: SeBackupPrivilege 3204 MSIEXEC.EXE Token: SeRestorePrivilege 3204 MSIEXEC.EXE Token: SeShutdownPrivilege 3204 MSIEXEC.EXE Token: SeDebugPrivilege 3204 MSIEXEC.EXE Token: SeAuditPrivilege 3204 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3204 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3204 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3204 MSIEXEC.EXE Token: SeUndockPrivilege 3204 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3204 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3204 MSIEXEC.EXE Token: SeManageVolumePrivilege 3204 MSIEXEC.EXE Token: SeImpersonatePrivilege 3204 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3204 MSIEXEC.EXE Token: SeCreateTokenPrivilege 3204 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3204 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3204 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3204 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3204 MSIEXEC.EXE Token: SeTcbPrivilege 3204 MSIEXEC.EXE Token: SeSecurityPrivilege 3204 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3204 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3204 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3204 MSIEXEC.EXE Token: SeSystemtimePrivilege 3204 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3204 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3204 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3204 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3204 MSIEXEC.EXE Token: SeBackupPrivilege 3204 MSIEXEC.EXE Token: SeRestorePrivilege 3204 MSIEXEC.EXE Token: SeShutdownPrivilege 3204 MSIEXEC.EXE Token: SeDebugPrivilege 3204 MSIEXEC.EXE Token: SeAuditPrivilege 3204 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3204 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3204 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3204 MSIEXEC.EXE Token: SeUndockPrivilege 3204 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3204 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3204 MSIEXEC.EXE Token: SeManageVolumePrivilege 3204 MSIEXEC.EXE Token: SeImpersonatePrivilege 3204 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3204 MSIEXEC.EXE Token: SeCreateTokenPrivilege 3204 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3204 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3204 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3204 MSIEXEC.EXE 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 3204 MSIEXEC.EXE 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe 6044 cicStudent.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2280 winst64.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 2496 CICPlugin.exe 2028 CICPlugin64.exe 1200 CICSafeguardingAgent.exe 3652 eSafetyHookAppCIC.exe 1044 cichooksApp64.exe 5836 HookAppCIC64.exe 5836 HookAppCIC64.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe 1200 CICSafeguardingAgent.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5216 wrote to memory of 2488 5216 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 78 PID 5216 wrote to memory of 2488 5216 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 78 PID 5216 wrote to memory of 2488 5216 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 78 PID 2488 wrote to memory of 3204 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 79 PID 2488 wrote to memory of 3204 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 79 PID 2488 wrote to memory of 3204 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 79 PID 4776 wrote to memory of 4844 4776 msiexec.exe 81 PID 4776 wrote to memory of 4844 4776 msiexec.exe 81 PID 4776 wrote to memory of 4844 4776 msiexec.exe 81 PID 4776 wrote to memory of 4252 4776 msiexec.exe 85 PID 4776 wrote to memory of 4252 4776 msiexec.exe 85 PID 4776 wrote to memory of 4952 4776 msiexec.exe 87 PID 4776 wrote to memory of 4952 4776 msiexec.exe 87 PID 4776 wrote to memory of 4952 4776 msiexec.exe 87 PID 4776 wrote to memory of 5468 4776 msiexec.exe 89 PID 4776 wrote to memory of 5468 4776 msiexec.exe 89 PID 4776 wrote to memory of 5468 4776 msiexec.exe 89 PID 4776 wrote to memory of 4176 4776 msiexec.exe 90 PID 4776 wrote to memory of 4176 4776 msiexec.exe 90 PID 4776 wrote to memory of 4176 4776 msiexec.exe 90 PID 4176 wrote to memory of 3028 4176 WINSTALL.EXE 91 PID 4176 wrote to memory of 3028 4176 WINSTALL.EXE 91 PID 5056 wrote to memory of 4564 5056 cicStudent.exe 93 PID 5056 wrote to memory of 4564 5056 cicStudent.exe 93 PID 5056 wrote to memory of 4564 5056 cicStudent.exe 93 PID 5056 wrote to memory of 6044 5056 cicStudent.exe 94 PID 5056 wrote to memory of 6044 5056 cicStudent.exe 94 PID 5056 wrote to memory of 6044 5056 cicStudent.exe 94 PID 6044 wrote to memory of 3776 6044 cicStudent.exe 95 PID 6044 wrote to memory of 3776 6044 cicStudent.exe 95 PID 6044 wrote to memory of 3776 6044 cicStudent.exe 95 PID 6044 wrote to memory of 2280 6044 cicStudent.exe 96 PID 6044 wrote to memory of 2280 6044 cicStudent.exe 96 PID 6044 wrote to memory of 1200 6044 cicStudent.exe 97 PID 6044 wrote to memory of 1200 6044 cicStudent.exe 97 PID 6044 wrote to memory of 1200 6044 cicStudent.exe 97 PID 6044 wrote to memory of 4640 6044 cicStudent.exe 98 PID 6044 wrote to memory of 4640 6044 cicStudent.exe 98 PID 6044 wrote to memory of 4640 6044 cicStudent.exe 98 PID 6044 wrote to memory of 2496 6044 cicStudent.exe 99 PID 6044 wrote to memory of 2496 6044 cicStudent.exe 99 PID 6044 wrote to memory of 2496 6044 cicStudent.exe 99 PID 6044 wrote to memory of 2028 6044 cicStudent.exe 100 PID 6044 wrote to memory of 2028 6044 cicStudent.exe 100 PID 6044 wrote to memory of 3404 6044 cicStudent.exe 101 PID 6044 wrote to memory of 3404 6044 cicStudent.exe 101 PID 6044 wrote to memory of 3404 6044 cicStudent.exe 101 PID 6044 wrote to memory of 4268 6044 cicStudent.exe 102 PID 6044 wrote to memory of 4268 6044 cicStudent.exe 102 PID 1200 wrote to memory of 1892 1200 CICSafeguardingAgent.exe 103 PID 1200 wrote to memory of 1892 1200 CICSafeguardingAgent.exe 103 PID 1200 wrote to memory of 3652 1200 CICSafeguardingAgent.exe 104 PID 1200 wrote to memory of 3652 1200 CICSafeguardingAgent.exe 104 PID 1200 wrote to memory of 3652 1200 CICSafeguardingAgent.exe 104 PID 3652 wrote to memory of 1044 3652 eSafetyHookAppCIC.exe 105 PID 3652 wrote to memory of 1044 3652 eSafetyHookAppCIC.exe 105 PID 1200 wrote to memory of 5836 1200 CICSafeguardingAgent.exe 106 PID 1200 wrote to memory of 5836 1200 CICSafeguardingAgent.exe 106 PID 1200 wrote to memory of 1576 1200 CICSafeguardingAgent.exe 110 PID 1200 wrote to memory of 1576 1200 CICSafeguardingAgent.exe 110 PID 1200 wrote to memory of 1576 1200 CICSafeguardingAgent.exe 110 PID 2488 wrote to memory of 4408 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 113 PID 2488 wrote to memory of 4408 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 113 PID 2488 wrote to memory of 4408 2488 classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5216 -
C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exeC:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe /q"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\ProgramData\Downloaded Installations\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\classroom.cloud Student.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3204
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵PID:4408
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B3C7C2209FDC1917E06EA15D9A637CD4 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4252
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 65296CBAAB07D6692AB3D11F556279B32⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4952
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9D8C9CB784B552368CF0CCC9F1C2645C E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE"C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *2⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exewinst64.exe /q /q /i3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4860
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4564
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6044 -
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3776
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EBb026a,13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe" /LocalServer /Inventory=1 /Safeguarding=1 /SGroup=0 /DeviceGroup=6 /AupRulesEnabled=1 /EnhancedSafeguarding=13⤵
- Impair Defenses: Safe Mode Boot
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"4⤵
- Executes dropped EXE
PID:1892
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe" 3652 512 Local\CIC_ESAFETY_IPC_KDB5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5836
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\\StoreInvCIC.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576
-
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4640
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3404
-
-
C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"3⤵
- Executes dropped EXE
PID:4268
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD56c5d0a9782811cf2976b18be3cbd1130
SHA11a10a7890bc13a54d387378da8911bed6dc874bc
SHA2564f6a6ec7c61ee748cac13076aa7fd4a8f66bee425747b29fcb26a31ee92729de
SHA512ea5c368f969f5cd42d910bb5c0db1cf89802f48b6a0ca171996040256ba7058c00ae3fee5304806ee4526f901c354cda7598aa706d7135c355bf650d00103ce0
-
Filesize
303KB
MD5233d6c47b7c38c84c6795c3fe173525e
SHA102b87df7cff7f9b484f55c4e451bbd49d4f402ce
SHA2569d6bd498a54d006a3d41499b8442df15d4e8ef5083cda4ed4620014ce057989c
SHA512023a184f978ddbf8be714ae1437bc1da59fdc5cfac0e1ed13befbb09004951312a8fa7d30fad66e6641ec3b0ce0568c2899f1343e4f6da9ae23d4975c82063f5
-
Filesize
33KB
MD5231413407e88a179ea9a7889305bdc8d
SHA1d6031475fb06cc401352be605a4ef70c89a0c774
SHA2569a70110c7d0d1366c21e5acc69498cc67c87aef96ae67c7fb37314243a23a5a7
SHA51212cc1f4acec4159a86b76a08661ed8ce583b24ecc1a7da734e52a1416a02a330937cb1eae6b098fc8d7b69b89a651c54146de4185e6d8db4cb9790c66f658725
-
Filesize
429KB
MD51d8c79f293ca86e8857149fb4efe4452
SHA17474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA51283c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
31KB
MD5c82ffe193bfb7a4e37d84c6f69128054
SHA1b3429dc37d021432e5d47e0a2eb087268e8d1e6c
SHA256ef64a39c59562b1a731563b7c688fae45c3e8f355d402c7ebc80f19aea09f9ef
SHA512aa3bc90c072c8d9da93e55d026459930338cc083491e3c42782adc4c06cd25f16136369c63ea3252cadee5ec62e3e3b8f06b1bbaa82a8f6838d6be3e36ed7b18
-
Filesize
7.3MB
MD56fa0e22d7e5d4ee737878290035a0267
SHA15099b37c049fa3a91a63611535429fd18adb5c2a
SHA25679bc3ed1a07c0119719b7875865162293df573c540edbce7c08e47325c362dcd
SHA512ab5b2d0d5b862c2b9cca9e9a1e3590281b5cf94fe69ca322e335e8d59d85efebcd098c115c5a4ecf1aff6dc0acdcddc6b68ba62d4144eac3044e0df4f4f1a39e
-
Filesize
1.2MB
MD53cb1b4875e0115df4acf16f2d9afc195
SHA11c869c11c8113b39e7291df1bc4283d6062be810
SHA25697b0de6aff804f5634b7453b6b27ee5a2d78ab2781c9cbf59a45b8a2f6e783d3
SHA51286ec315a960ad0223d35b569927df60939109ad4d9d1f20fa990e493fb3c25a2240196a9c852ecfd4967d01d4bd39f9f6e07dace2e70a50975fde8ee1c05e2aa
-
Filesize
45KB
MD5e82daaf3a38c76f3e1cd3378cdafbd64
SHA1dfbf9cee2aeac45881bcf764946f54ddc5014df5
SHA256c1c03df6cb83b1016ff3f470513f7179c8ff0d7ac7a70f7efbdee13e3dfecb1b
SHA5122ea546a44eeefbf90aada2275b53dcef14ee7eef193451f669fa7bfc9af0dfba0ba042cbc95e1557b51b22b2a26dec9ffd1daa5dbf17238c6c6852adf71ba9b7
-
Filesize
46KB
MD50501c0cb6cb497ab6bdcfb4424295442
SHA1d31d676024be5459f0d74a92e7bc22311a6a0fe9
SHA25673177341059297bf68283667bb03e754d86e8782a5a3b96e55e7d2b7422f6472
SHA5120c16c620117d1b939f9a09bd6e9eb6cb2022016a15e36ca93b0faa328a11345e308795c3e96eedc6379c296dad7da505cb6e05be02bca1057d3d478c1bfc131f
-
Filesize
86KB
MD5a61e06cf390215db0cbccabd20a88543
SHA1b4be0f456fbc5f143344e2563f167a32c418d739
SHA2567039caeac8385590c84003fec2d373f9dede911d853206743236ecd65f493e40
SHA512f99633b056ca0b3a167e386a9d6a44cabf6c5383b48698f9ac5e1b28cf88280058ae62698a2d0e1175bd623f558a51ca520d6c252845a0d8fc7998a36d81a380
-
Filesize
107KB
MD58115ab34ef0cc4797b814378d6e5d68b
SHA16836e7ce359605459d770e07c91b9055ae11a6f9
SHA256d84f5e874237c70e4f5643b4e60fbb20e2a2c6e2510e7c169e9de53b6676048f
SHA5124622e8fa15740f7269300741645052bca226162794886dbef05b6860af5dc88a820d4b9ff0f2344736472cc2287609002d5829f8481b0a15e18a029c265aa9c1
-
Filesize
217KB
MD5182a16b7281dafe1f3f18cdae50517b3
SHA1a1b09ceea9d4be113774091afe6c64f688d14777
SHA256e8f264a5cb5376c300fa151c7bded92d410cbb76aeee67772e240daaf7208255
SHA51276dbf7ec2235a86cbf56d4b3cd943faacff95861786cff53f50869342883e1e7d4933ef20dfb1d081e41e2509c5e28d7c7b8757e44f1e24896a5dfff4c7dc1b3
-
Filesize
85KB
MD5fd1148acce98cd2d51c3f97c8c3c14c5
SHA1ab1b65ed5bdd8be9978578f639654f7de3f1209e
SHA25681f52395f8e25205af1133c69dea1cd40a9c55ed9e15b374260f0b22a7281e42
SHA512ef9d9d1f585cc96ffaab4fe745770de6394ec2c091c72760b6f0b7c69a82b88e5143affae8fcdd0e514e680354573dc46ce4d308e5bf1918f93b0aa896261420
-
Filesize
204KB
MD55a604969f3e3635fb05a95ead6f6249f
SHA1c9650a7ba71b6a81bd805b2970eaa509f7a1a8fa
SHA256412f367ec28f2e76939ff86f1d0f269596a4885a4bdcef26e5295e75917be429
SHA512c1e07bc1dd47cdd07724eaadd35f46cbb5bcfff1a0cad4c16ec23ce9edbb9bbe69100c86937dc02718bd1bf3da4a22c9736d497c0f1d29da180f2608a129e904
-
Filesize
97KB
MD512cb5b2c2d6acda63bbdf7242b8c38c0
SHA120eb3eac8df0266826295f8c2638d5a6908132f4
SHA25663c7b0401663812ed8c9c78b84b44d603b62e48d395542efe3394c48dee6582f
SHA512a65886565b6242d56ea438ec000568eebfefc188099d25df4cfa91de2f51c07aa1862ae7865b6fd16b621cfd3f0567bdc738437db4a7d4692436f86fd20e10b7
-
Filesize
61KB
MD56cf754a46adcd324d7c93593e2d22518
SHA1f3d75e427bf61151442a129fce70c78a4937cc79
SHA256cf5eaca01cdbc596fa6d49bfef07f94a9e21b9bdcf8e661fb777aa35ffa43089
SHA5120e44bd204daf8ee0ab225fe0dd828cb1e78a81725f3ab2d20e85fac1a0efa13ff2196433149ca31626be59780f7a542e9f917d752fc4999e018cd411b406eff5
-
Filesize
208KB
MD521b301bbb8f88d75d893d475d8f657f6
SHA133afab1c540a11269cc5f46c9a3270a85d460958
SHA2565ccab2b8a6fead9a8790f1a109d6f6b8974ed3c99c3778d4ce9b1b3d58968748
SHA512b584564a1cb9204bf23f3f20ab2fcb7525463c9adcf1589b1eced7f7cc0f32128016364b1ab638546001bf20b430d56c87168559ce34c3365b86385563a35bee
-
Filesize
130KB
MD5c0b213079929efb3571a0d8fc1645909
SHA1197184e3ec72e9cf6a2e6b0dfa6abf39d145b90e
SHA25664608d9fdb41cb2f89c86a5fe6117d23f7b9b134a965ff2294c94b99640ea2c7
SHA512fe52eaeacf68a46c4acdd529ed7677f498a41769a731de37218e3e0313ee57a81a1fdd87af16f6848b0e3eab2184162bc9dd422f4bd17030388265ea9d62e2b2
-
Filesize
299KB
MD5212b239eb6604dcac0a301d6e14a59cd
SHA1d70eb5504fb7b27295597abe3de9cdbcacd03f90
SHA256f2157184a435ad69adcd4d8087b2839707cc9ac33b0f927e8b0de32c7b16b0e3
SHA512b4b3df80bc9d553035633eea773a3c54e4f1e11f145d71573bbdd90090420fab4c3d49edeaed5478348520110c28dd2cec626640725c323f0f1c394802c9597c
-
Filesize
107KB
MD5bba65f31222c17a1853c5fb9a1ba4e51
SHA124941c2361f4db7aaad352103030178d73a39206
SHA2562d5334ceed6b603e3d18cafefcffbb1c85694202625d23fcdcc23615e31b185c
SHA512bf08cd5d78a70b5f313cf736f9c01d9225ab6296a5cf3b411fe39ece69d9f8caea0cac16cc91d610ee61fe0088bcbc1f271478fce60f2aac7b2ceae1f849a632
-
Filesize
93KB
MD55341bb2685c89d671fa628ca8c0def05
SHA15babc0927c18d9a37987e9c23ddc950951a59c0e
SHA256536e984e070427f4bab27023def839c8c58d834acfb72e06c25167b0540b1394
SHA51220567a4a3d215ccee097ef94e521b70c9f8eca54983103f4469aa4367b426afdef954fca83dba9305d48201682c37eed845886761e1ffa0023b8b0768ccbcabf
-
Filesize
170KB
MD5e577c17c4891f703630d83a5315abf6e
SHA191a0f7f86cc1043d6e8abe8930e66bcaec890865
SHA256c57c19305cea56e33c7bfc204379d20ac359ac84da737c64612a91481acd068d
SHA512ef8f985118eb0b8da75516e9ce097e16bf0da05fe08d51b8d48cce6c61f3a09f44f5b41cf76a116b026e02546e686fb3b62042c9fc4c5c993849fb9272f4f2b9
-
Filesize
41KB
MD57a858a62fef9760a753b9cb07716d40e
SHA1644690afab612beb06a22b673fb024b14f341c15
SHA2566aa3e5de0a176d25570fc983315089a6a66a228c6298bd020de424120216edcc
SHA5125dc76020b04764ad268d52ee4fd623d40573ea9e9fee831acc7dc9dff15857d7fb85cb6260ac64fde718d6874759680e533f7391ff02e2e1b536eb7f96192da2
-
Filesize
62KB
MD5117e651c518b35cd481eb176a960bdde
SHA1882bf297863f1ec7ff344c81c07ef1ba5fae3c18
SHA256a5be60b9aad89d39d65f0a354afc3fabc9e869a8dd342a3a70abe1b2312e79bf
SHA512fa611903e6f2f43f3650c58ca7c879eff86626b641746a677b5729dc05570759f8f3a6e793967e713a96ed2afb25583a46e458a4786d1a44ef5a78da768d8017
-
Filesize
124KB
MD5ff4999b039e8bdc4bf2e94f362617b16
SHA14d3861a3b77dcf59f774257c54f62a0d51d328aa
SHA25682ae7b76091d42f0a59b53150b184bd77f08ecb085e5e4d608a757a85dff5928
SHA5126b9c679b1c408260bc810550b2e3b3619f2c8aad2cf9d5f0517806f1c216d5cc0a2c314ab6d1a0492306dff0086fa0edf1da4ebc482e16ffb2250a59bd235c6a
-
Filesize
66KB
MD5c8d510b9e1b084333f40a054d404884e
SHA167ee32911115462be0b0aebb728cacc5bcfb5b88
SHA256e2b3503180fa40362c1ed983852ff32dcffcc71fed05d3197c7a9996eb820f85
SHA512bdac6796fcb7f00f84375cecf1a5cfaec39afbb78956514f5a7d2c0b7b8bf55599669e571cfc856cf683dcc8a417b19bae99c76598594c9cdd647dc72ebf80b8
-
Filesize
227KB
MD5f9b4a682ca1fc4d2ea21634a034edae7
SHA128532ff051fe208d1d75e3bf413cc55a65d128a4
SHA256c1959663aa2fd4614553bf14bd0805455b8140e8c271b9aea01fc00339ed63c1
SHA5123067c7a0ea71873f68ad7b830283d3a4de5e6db161c2701c1b1f80eb6b747bb511cd748a9360127afcf01e87bbd8c39862fbb8b2ddaccf403a79c2b382d850e3
-
Filesize
2B
MD5c4103f122d27677c9db144cae1394a66
SHA11489f923c4dca729178b3e3233458550d8dddf29
SHA25696a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA5125ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54
-
Filesize
1.3MB
MD5d49157eb1caaa84fdfac88628f8134ea
SHA1ea22715e2a9d66c74ea55b6ffe46a1555b612356
SHA256e8625a6883d63407c2a7897f93701bbc488db0c2b52519b8be2b6928c669ab6b
SHA51280c32dcdf64f19c316adcf92b9c5ca2dd6d50607479b1c43058226c8b4ed9a219087d246677cafe534799bef28ab3fc825cd3ab14db7792bdaf677c6aaa73830
-
Filesize
743KB
MD5c6b9f3f79923b253424465b4055bdb28
SHA13744a1f6b0e9222ed6850d021016eca0b10bc519
SHA256ec764c26475e1c9620b642c8807142bfdb72e85e1e8bdc87cdfb0e43f90a3b62
SHA512ecb7738dcef64b3b62a708565c08a8302629a47fdd26f8630ba6359ba413e93b2c96719cdf9c8c5845d1f0d61a69a34dab84431fe6d93a249ab982d7348e57d1
-
Filesize
1.4MB
MD5f9cf2db8b99dc50eab538c4d860ac1a4
SHA1b261c9e7f082eb8649afab9a677e022f84fd2823
SHA256865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
SHA51259660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d
-
Filesize
33KB
MD5ffa0bb22a09efde0dc53cee4ad7761ce
SHA19213940d26e0d98afcd33ac3d3e021f3b99f50a6
SHA25670d8dc0d4f6c2c88bef7f8a18da833ae9c99d6da8a3b253f12fbfb91eb75b7f3
SHA512a2853aff65a297254188a2ed64ca9e1d81daaf037fd48a9d97764d1e8e90e294ace33fb4ee1151fce086299b5ced04854758f7fd6f16b5ebc25d64ea6f399f34
-
Filesize
238KB
MD5092b95b9308e2827a3b1598add0e306d
SHA110321c34bbe5982c3005188afa94d1ce73964f2e
SHA256a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f
SHA51220464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf
-
Filesize
842KB
MD598a75771d452d5d5fafb9bdc091c512d
SHA167a0e43a56a15082453a9d4940e832155a3057c4
SHA256fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72
SHA5129dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39
-
Filesize
2KB
MD5344e5f94494802ff38fa02cec9ab8e02
SHA1fb16f5357725ac40a00a608be0bc522c2b0544ea
SHA256f6f1c23bf836f7773de21292e6aebd86568993f995c0cb799a63151a67e05f12
SHA5120cb6e4ac146f4352249ecf29cfe7eb3c3105342fdfda8e6ca9e23abbf1cba179fa3a9f62b992ac700c65d6234a1679d3790f40ae948cc5e5b01443755a36f5b5
-
Filesize
39KB
MD535c66ae99109a44804f5ea8032d1377d
SHA16f769b861db4595d15733372fd4932dc226b72af
SHA256f1b455de2ec03091d0ed0d27c7e8428931208d9b3fcfc91b13b1a3eb55235064
SHA51255ce58e56a9dd1de898940bbcc79b120f1df87eb39a1b5882134478bc7f7cfa7ea3fe2038bdd573fa6a2930594f53310e8c3f02f6d32ad14af985d89174f82a5
-
Filesize
48KB
MD5bd5def2b91eaf52eba3a33eeb67cee48
SHA16cc6d4b8379cf2a59a770110d17b1f5a531a4a05
SHA2566ebc2f4a6962793da3d7cffcda8f0246be8c9eebff3591d021279b482c08926b
SHA5126f203908aa2002282cd66eb52d2a1473248afb92ae419d0d04352604c580f34308f485f9283a5b83aeb7742c2e9cdce6e3354935f226667cd5c2ba266430e975
-
Filesize
54KB
MD50880c1c48690981c8d06831956ebf69a
SHA1f112137e17e5e5c69567c431f993c338b6fc3422
SHA256dbf281d1a065ea5e3162f01b658910a39f70f24523d9d6e0ea11535055120d63
SHA51297805f65041d2fc8e2f49795cd2a9a9216dee43463112a7576e78bfb595e7b74da7121652e8bf6a8c04fbfde4c7671c4810b748b693a523d285d307eeeaaaaa6
-
Filesize
397B
MD51776504eea61cb14d645e4ecf7f66fed
SHA15902f0fa83a830bfc9d1befa3583330354389a26
SHA256ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed
SHA512e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710
-
Filesize
1KB
MD53cdcf8f9b05de85c7e7008e7f4a70123
SHA14f2c894e8c86200efcb93ad0ebd85296d48f360c
SHA25627f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e
SHA51293f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6
-
Filesize
81KB
MD58e65e033799eb9fd46bc5c184e7d1b85
SHA1e1cc5313be1f7df4c43697f8f701305585fe4e71
SHA256be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4
SHA512e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd
-
Filesize
335KB
MD5183a205187acb2b5313800eb7200654f
SHA13f71e3722409a256ea8aba277e9b459906abedab
SHA2565cd1f3b175ff2a492fe581ad80f83affac3b6bf17602a06f4c5f2368373a5774
SHA51239b0ac5723df4fb480d2af1b4ffdbdc52ba3d5e6f78d8d33b954c36f3f69954645625278116a24691f5ef2b4ef0ee08e39c592175f503938fb4f5418c2d6f53d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2
Filesize1KB
MD53de57e3ccdd9b8db1f0e7c725bf2aa7d
SHA18fb59a6f70ae52073ac80d8ca234228aac77343c
SHA2562ad53da1ca034894ed0a55571c739ed8750a35aa51b99f235e90f65157cb21ca
SHA512920abb22be2f3fc0feab8d22361cb07c9bc0d3c4e87e9a8025bc95ad207d1783d80007fb884a9861be81a93c9936e23972b49f19d715861b9b669356ceed3eac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5fd8a20ae034c688d34c65d0899328dd0
SHA1d8d1418441e290da13c08a0a53842995c3431779
SHA256c31307defd1c468c6351e78fdf977f2bad54d495645596af99834d55f596cbb0
SHA512707110747b13354c6fa82d82534cab8b3b0dc3b06b94494a4ad576b5d28960f00e3aeadd6ac07b99a0e9dda0765ee08e2d6b6b5b2cb13deaae48043b506f1e7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Filesize1KB
MD5e4b82021432532761b974e337ed0e76d
SHA1eafe08bf9c38219e7c31f3e4de10eb378cd6a85c
SHA25638a941ac9c4ecda3d20b0823e81f2521f8f61838f7d60b69998877c7fc95a493
SHA512430707c940340ffba8ced7ecdee071d1a9b8d54437df37f6878061c6eaff06bfb44f04435e37b6f8f238e9aabb3c3e72e4b63f83cb51033ce5db452c78f75eee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2
Filesize540B
MD51a83151b0d2ab208ec2a2ea56cdb0eb7
SHA16e66213b8b67b37df43f3d12c2e341bac8d1528c
SHA256b6cfb7db005b9445a1ea02d4da34884696bb24296f342da11bd0867460023e5d
SHA51282351e8b04608832679b542b778e25e620e3ae726b4c44fe2f6decde7b3acd075f944dd8b6776bc5c195a93e31f96395aa4f4df3905e4edb982d4a86068d5353
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD510cc21cb44bdc0739bb1d1a583115e6d
SHA17935ba27b0cd094b755cadebe578fdf44a2d966e
SHA2560fea1a4b34f134d4fece9d1f527cb2ba1a9d6e25f9c818aa477d91a85a2f64ff
SHA5124cfd038554a7df256d6e0ec7cd6ad28033a6595c1c28e2ee1a1f576fb659c4a673b436e31b10db826f6379abab660387efc70874f2b41d8dd8c820d9665721cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Filesize508B
MD5c38991168ea2c93ea96e25856fab88fd
SHA1bf25e8dc7514f43b853438bd1bd9bd6b08f62f1d
SHA256dc56a066883d74d74adf7bddbd1dbfe85ba443279501927656426d6489c370ec
SHA51244421b2e906504961da5108f469e1caba1445f8c270ebf79f9af0d2138d49ddc0a8c70766bb64c0e59b7f263e7b5c296138d3033d7a6234e89b5db070aa3b5cf
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1
-
Filesize
504KB
MD58bd0092b3561d926e98e0f8836a744e5
SHA1db75ca62c6bd40b5381a4edc49ff516a8420fc94
SHA256c9dabf1752ab3d0ab1f88cc6aa5cbf37ac95f4f5fee3acc78b7f3d6118492049
SHA512f1f2a102fc6c714256fa9095c063f5d0e40b89397c938bc2bd9b9f3d97a8a5b3773f2050eed9c1e50b4430049ed21f1fd128ff70a13f1ba78a6f7eb3641fbbea
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
5KB
MD523ce7ea2a8100e466e40796a515eea42
SHA11a2f854ce18ea586e50f836be406142c551844e1
SHA256ff21c2dc626491e548332ee554bc3d89786e5b8206e60f9b9c7ffaede25209a4
SHA51213337128807f1aa1d383897d029c466a91caad56ab91d01bc3ff3d270472143567bed883fa16509645735990eff79738f8fe537f01c80b9f04086beeef751182
-
Filesize
820B
MD5b35e7ef14ad9d188a0df33fa6c9554c5
SHA1b2a8e5c659cdd3dc09915f1f32d7b482792ecd7f
SHA256acc300cea692c6d536147f3028863ed697e33c4fbcbe9f1a5b9a4b12b8bac24d
SHA51257079f409d53d6d06f6386868180c836a1ed956f1633cdbc280f3c925f1974075f01347f3685f90ebfd52dddbf6eb0d595a321d3d63204df55c2a23a6472a742
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
102KB
MD5e02af20e191ff09db3c186066cc1375a
SHA10de9c222ce3568324603b2aec3057bf7ac8b10e8
SHA2565d7ed783f3d533a687877da91f9d6fd8393994206349503d8ccc419de9ed9fe6
SHA512df532d321c70512355e80821fe08570da1363a72ebbeb288ae91dcf3ee50544b1f9d4a1f895b1e1305eedc47ed0c6db9e0625cfbf1202d5d71d3516dd1a3fb45
-
Filesize
24.6MB
MD586c9262f8f4a99594529440695576ede
SHA1d3cdb921d30abe8263aa87f051150fc583b24023
SHA25639750700ba988952aacb37948932cc7d488a257f49ed9e82e3be1ebd48756f2b
SHA5123526eda4d5c95e82a51a88c1a0d58c0f8a176a86758cc16d78ac61fecd35b419e1542eb4e184bb7fec27a31a7d5b58843783adec2da6edb804ef8b3db45e00a7
-
\??\Volume{e35ef0ed-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{338fbb2e-7751-42e3-8af0-c1698cd6c9dc}_OnDiskSnapshotProp
Filesize6KB
MD5543f3f87de4b66becfb7d62c9bc70939
SHA16d2a22b9d039428b8eaea4f31fed798fb231b10c
SHA256d7aa45f96525f77af8442397fe03cb59a1176104f651236c3048ae1d2eaa7dcd
SHA51261e11d054e9f16a9f999834cc7f7e10cd91cde4d4174ee9001fedd289937aacb7493c66a850b1b3388f91b46f1555cc0a563400234fd4c63d3fa4948f5552c9a