Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-vvrehscn6w
Target classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
SHA256 c4b825fcd3b18955157e5ea94fc13baf2512c9b4d69c484d087904fe8fd8a5b7
Tags
netsupport adware bootkit defense_evasion discovery persistence privilege_escalation ransomware rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4b825fcd3b18955157e5ea94fc13baf2512c9b4d69c484d087904fe8fd8a5b7

Threat Level: Known bad

The file classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe was found to be: Known bad.

Malicious Activity Summary

netsupport adware bootkit defense_evasion discovery persistence privilege_escalation ransomware rat spyware stealer

NetSupport

Netsupport family

Drops file in Drivers directory

Sets service image path in registry

Impair Defenses: Safe Mode Boot

Blocklisted process makes network request

Writes to the Master Boot Record (MBR)

Modifies WinLogon

Enumerates connected drives

Event Triggered Execution: Component Object Model Hijacking

Drops file in System32 directory

Checks installed software on the system

Drops file in Program Files directory

Loads dropped DLL

Drops file in Windows directory

Executes dropped EXE

Reads user/profile data of web browsers

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

System policy modification

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:18

Reported

2025-07-04 17:35

Platform

win10v2004-20250619-en

Max time kernel

952s

Max time network

958s

Command Line

"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

Signatures

NetSupport

rat netsupport

Netsupport family

netsupport

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\nskbfltr.sys C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent\ = "Service" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\F: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\ws2_32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Windows\SysWOW64\pcimsg.dll C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File created C:\Windows\system32\cicclient32provider.dll C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
File opened for modification C:\Windows\SysWOW64\advapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winhttp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\srvcli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcpcsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\UMPDC.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\system32\cicclient32provider.dll C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbgcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\profapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\cfgmgr32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wininet.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkscli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wtsapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\oleaut32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wsspicli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Storage.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\sechost.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winmm.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\comdlg32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\combase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\nsi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msasn1.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\SHFOLDER.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\secur32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\activeds.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\samcli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\gpapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\fastprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winspool.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Amsi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\audioses.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Windows\SysWOW64\DnaMsg.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\cicStudent.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcr100.i386.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wuser32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shlwapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wUxTheme.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wintrust.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\mpr.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\powrprof.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\setupapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\sechost.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\setupapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\bcrypt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgcodecs481.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\StoreSoftwareCtl64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\images\LS-512-white.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1035\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1542358329\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1320827036\crs.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\cicToolbar_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\zlib1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2052\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\netutils.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wtsapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\fastprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\openvino_ir_frontend.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.11 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-sysinfo-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\pcichek.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wuser32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\ucrtbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\activeds.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dbgcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgproc481.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\22538\PluginSoftwareModule64_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSilence.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1026\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\adsldpc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\wbemprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\dnsapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1320827036\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-debug-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1044\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wimm32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_lv.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_sl.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1043\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2070\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ur.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.14 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\NSL\NSCommonHook.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2070\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\comdlg32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_nl.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sl.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\cicToolbar_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\comdlg32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wUxTheme.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sp.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_sp.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5380_473995507\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\injlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Sounds\ShowAnswer.wav C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wininet.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\MMDevAPI.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c8be.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID14A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID63E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c8be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setupact.log C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File opened for modification C:\Windows\setuperr.log C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File created C:\Windows\Installer\e57c8c0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID2A3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\CloseHookApp64.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c452df13e30c07c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c452df10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003c452df1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3c452df1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c452df100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMEM" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000831412fd07eddb01 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961238063876095" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Turkish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Version = "33554434" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Chinese = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Hungarian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\MexicanSpanish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductName = "classroom.cloud Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\PackageName = "classroom.cloud Student.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Arabic = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Brazilian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\NSS C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\German = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\LatinAmerican = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Russian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.rpf C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /r\"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32 C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\French = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\ = "cicClient32Provider" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Student = "NSS" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Common = "NSS" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Spanish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductIcon = "C:\\Windows\\Installer\\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net\1 = "C:\\ProgramData\\Downloaded Installations\\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\ChineseT = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Image_Analyzer = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Italian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4144907350-1836498122-2806216936-1000\{CD4F7CD3-50F8-4295-BF46-14495A6A9F24} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Korean = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Lithuanian = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Finnish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Swedish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 4932 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 4932 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 4628 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4628 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4628 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4420 wrote to memory of 1440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 1440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 1440 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 4856 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4420 wrote to memory of 4856 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4420 wrote to memory of 5328 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 5328 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 5328 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 4708 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 4708 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 4708 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4420 wrote to memory of 5156 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4420 wrote to memory of 5156 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4420 wrote to memory of 5156 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 5156 wrote to memory of 1464 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 5156 wrote to memory of 1464 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 3512 wrote to memory of 1572 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 3512 wrote to memory of 1572 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 3512 wrote to memory of 1572 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 3512 wrote to memory of 1700 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 3512 wrote to memory of 1700 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 3512 wrote to memory of 1700 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 1700 wrote to memory of 4444 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1700 wrote to memory of 4444 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1700 wrote to memory of 4444 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1700 wrote to memory of 4932 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 1700 wrote to memory of 4932 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 1700 wrote to memory of 5408 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 1700 wrote to memory of 5408 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 1700 wrote to memory of 5408 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 1700 wrote to memory of 4052 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1700 wrote to memory of 4052 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1700 wrote to memory of 4052 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1700 wrote to memory of 1280 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1700 wrote to memory of 1280 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1700 wrote to memory of 1280 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1700 wrote to memory of 3948 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1700 wrote to memory of 3948 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1700 wrote to memory of 1464 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1700 wrote to memory of 1464 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1700 wrote to memory of 1464 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1700 wrote to memory of 5260 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1700 wrote to memory of 5260 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 4628 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\explorer.exe
PID 4628 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\explorer.exe
PID 4628 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\explorer.exe
PID 5408 wrote to memory of 1612 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe
PID 5408 wrote to memory of 1612 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe
PID 5408 wrote to memory of 544 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 5408 wrote to memory of 544 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 5408 wrote to memory of 544 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 544 wrote to memory of 4400 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe
PID 544 wrote to memory of 4400 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe
PID 5408 wrote to memory of 5436 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe
PID 5408 wrote to memory of 5436 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe
PID 5408 wrote to memory of 4860 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 5408 wrote to memory of 4860 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 5408 wrote to memory of 4860 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe

"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe

C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe /q"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}" /IS_temp

C:\Windows\SysWOW64\MSIEXEC.EXE

"C:\Windows\system32\MSIEXEC.EXE" /i "C:\ProgramData\Downloaded Installations\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\classroom.cloud Student.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 30CDFBDB81CF72E7508D9196B5BB6E83 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D0EDB1D95CD77F395A80B670AD7C410B

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E66C2E517D7D20BD397BC5D54EF1D808 E Global\MSI0000

C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

"C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

winst64.exe /q /q /i

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EB100242,1

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe" /LocalServer /Inventory=1 /Safeguarding=1 /SGroup=0 /DeviceGroup=6 /AupRulesEnabled=1 /EnhancedSafeguarding=1

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe" 544 500 Local\CIC_ESAFETY_IPC_KDB

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\\StoreInvCIC.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe" /utf8

C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\IsMetro.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x310,0x314,0x318,0x30c,0x3b4,0x7ffea8c7f208,0x7ffea8c7f214,0x7ffea8c7f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1884,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2356,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2668,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3600,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3624,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5468,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4cc 0x320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=776,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6380,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=4936,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5408,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=1932,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=3620,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=3680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6460,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6644,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6772,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6880,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,5014251740570245594,10766340323633331078,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x26c,0x270,0x274,0x268,0x29c,0x7ffea8c7f208,0x7ffea8c7f214,0x7ffea8c7f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2324,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2580,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4680,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4764,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4920,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4756,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5612,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffea7aedcf8,0x7ffea7aedd04,0x7ffea7aedd10

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2076,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2352,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2364 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2468,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2480 /prefetch:8

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3284,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3588,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=3600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=612,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4568 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4620,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4768,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4952,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5492 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=6024,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=6084 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5828,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5904 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5872,i,11795201625049756038,10434698092915679590,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5924 /prefetch:8

C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe" /utf8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=824,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4552,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4676,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3472,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=2992 /prefetch:8

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5836,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=3712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4740,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /L"cic_lock_image.jpg"

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /L"cic_lock_image.jpg"

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3988,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:8

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /L"cic_lock_image.jpg"

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5904,i,2051230837054290265,4881283293341716033,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /thumb:Client32ThumbDib_4c0

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 gw01mem01-uksouth.classroom.cloud udp
GB 51.105.28.71:443 gw01mem01-uksouth.classroom.cloud tcp
US 8.8.8.8:53 safeguardingapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 safeguardingapi-uksouth.classroom.cloud tcp
US 8.8.8.8:53 nscsafstore6kchir2p4iwrm.blob.core.windows.net udp
GB 20.150.40.4:443 nscsafstore6kchir2p4iwrm.blob.core.windows.net tcp
US 8.8.8.8:53 technicianapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 technicianapi-uksouth.classroom.cloud tcp
US 8.8.8.8:53 activitymonitor-uksouth.classroom.cloud udp
GB 51.140.146.132:443 activitymonitor-uksouth.classroom.cloud tcp
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 technicianapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 technicianapi-uksouth.classroom.cloud tcp
US 8.8.8.8:53 technicianapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 technicianapi-uksouth.classroom.cloud tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:80 edge.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.27.68:443 copilot.microsoft.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
GB 2.22.144.80:443 assets.msn.com tcp
GB 2.22.144.80:443 assets.msn.com tcp
GB 2.22.144.80:443 assets.msn.com udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.22.144.80:443 assets.msn.com udp
GB 2.22.144.80:443 assets.msn.com udp
IE 13.74.129.1:443 c.msn.com tcp
US 150.171.28.10:443 c.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 18.165.242.8:443 sb.scorecardresearch.com tcp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 20.44.10.122:443 browser.events.data.msn.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 srtb.msn.com udp
US 8.8.8.8:53 srtb.msn.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 204.79.197.203:443 srtb.msn.com tcp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net udp
US 204.79.197.203:443 srtb.msn.com tcp
GB 2.18.27.82:443 www.bing.com udp
US 204.79.197.203:443 srtb.msn.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.msftstatic.com udp
US 8.8.8.8:53 r.msftstatic.com udp
US 204.79.197.219:443 r.msftstatic.com tcp
US 204.79.197.219:443 r.msftstatic.com tcp
GB 2.18.27.82:443 r.bing.com tcp
GB 2.18.27.82:443 r.bing.com tcp
US 204.79.197.203:443 srtb.msn.com udp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 thaka.bing.com udp
US 8.8.8.8:53 thaka.bing.com udp
GB 2.19.252.151:443 img-s-msn-com.akamaized.net udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.201.99:443 update.googleapis.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
N/A 224.0.0.251:5353 udp
GB 2.22.144.80:443 assets.msn.com udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 activitymonitor-uksouth.classroom.cloud udp
GB 51.140.146.132:443 activitymonitor-uksouth.classroom.cloud tcp
US 20.44.10.122:443 browser.events.data.msn.com tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
US 8.8.8.8:53 devtools.azureedge.net udp
US 8.8.8.8:53 devtools.azureedge.net udp
US 13.107.246.64:443 devtools.azureedge.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 13.107.246.64:443 devtools.azureedge.net tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
GB 2.20.12.82:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 devtools.azureedge.net udp
US 8.8.8.8:53 devtools.azureedge.net udp
US 13.107.246.64:443 devtools.azureedge.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
N/A 127.0.0.1:9229 tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 204.79.197.203:443 ntp.msn.com udp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
GB 2.18.27.76:443 www.bing.com udp
US 150.171.27.10:443 c.bing.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
IE 13.74.129.1:443 c.msn.com tcp
GB 2.22.144.74:443 assets.msn.com udp
GB 2.22.144.74:443 assets.msn.com udp
GB 18.165.242.4:443 sb.scorecardresearch.com tcp
GB 2.19.252.154:443 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 srtb.msn.com udp
US 8.8.8.8:53 srtb.msn.com udp
US 204.79.197.203:443 srtb.msn.com tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 216.58.212.238:443 clients2.google.com tcp
GB 216.58.212.238:443 clients2.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.clients6.google.com udp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.clients6.google.com udp
GB 142.250.117.139:443 apis.google.com udp
GB 172.217.169.10:443 ogads-pa.clients6.google.com tcp
GB 172.217.169.10:443 ogads-pa.clients6.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.213.14:443 play.google.com udp
GB 216.58.213.14:443 play.google.com tcp
GB 216.58.213.14:443 play.google.com udp
US 8.8.8.8:53 chrome.google.com udp
GB 142.250.179.238:443 chrome.google.com tcp
US 8.8.8.8:53 activitymonitor-uksouth.classroom.cloud udp
GB 51.140.146.132:443 activitymonitor-uksouth.classroom.cloud tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
N/A 127.0.0.1:3085 tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\_ISMSIDEL.INI

MD5 c75e5e2cd17c40517d8b3d4096fdd026
SHA1 00f531b71a93defaad398176949285e8a5e76526
SHA256 d6799f211f02819599dad84f43a26b314bcbdb5c5476e77f7e3d33529aec7caf
SHA512 3ff0d3c9caf9ebda07761593cfbfe794b0d703f856bffaf5f5d535b9372ce4f7cb8024739a7c22c9386a4838a005d89a5c96fceecd429a706c52e7ddbc69c734

C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\Setup.INI

MD5 23ce7ea2a8100e466e40796a515eea42
SHA1 1a2f854ce18ea586e50f836be406142c551844e1
SHA256 ff21c2dc626491e548332ee554bc3d89786e5b8206e60f9b9c7ffaede25209a4
SHA512 13337128807f1aa1d383897d029c466a91caad56ab91d01bc3ff3d270472143567bed883fa16509645735990eff79738f8fe537f01c80b9f04086beeef751182

C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\0x0409.ini

MD5 a108f0030a2cda00405281014f897241
SHA1 d112325fa45664272b08ef5e8ff8c85382ebb991
SHA256 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512 d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

C:\Users\Admin\AppData\Local\Temp\MSI7EC5.tmp

MD5 0e6fda2b8425c9513c774cf29a1bc72d
SHA1 a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256 e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512 285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

C:\Users\Admin\AppData\Local\Temp\MSI7F53.tmp

MD5 a1b7850763af9593b66ee459a081bddf
SHA1 6e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA256 41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512 a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

C:\Users\Admin\AppData\Local\Temp\MSI7F73.tmp

MD5 8bd0092b3561d926e98e0f8836a744e5
SHA1 db75ca62c6bd40b5381a4edc49ff516a8420fc94
SHA256 c9dabf1752ab3d0ab1f88cc6aa5cbf37ac95f4f5fee3acc78b7f3d6118492049
SHA512 f1f2a102fc6c714256fa9095c063f5d0e40b89397c938bc2bd9b9f3d97a8a5b3773f2050eed9c1e50b4430049ed21f1fd128ff70a13f1ba78a6f7eb3641fbbea

\??\Volume{f12d453c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c23533e5-4524-4020-8edc-0951e4dc8e4f}_OnDiskSnapshotProp

MD5 c594967bb584e766e9628ec76b849838
SHA1 c2000cc584dfcf4b84a276bc522e26fe2680a1b5
SHA256 a75356722f8fdab8fb49d3b6f89296e1263240f284cb7b87d28fd990fc4897cc
SHA512 8e611f791bd9dd857bff3a50b19b1ccaea1af3bd34c602db2fec0f3bc310a8f0ca7b5947a689022f03775745e843bbc0ac1b596bb8be3f5e412d3101cb62b930

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 002f626331cd40349d57521d33c0acf8
SHA1 b93a5732a36f38b9a95ff06ff836e0cad0bd71d2
SHA256 c025178c41041e2ffb2ce48170574bd69083487eb292df5f49b25020a153f1a9
SHA512 b38cb3c9ce616345613cfcd94c994b22fb964b0fbd00669f56a7d329be386f603095fa2c94b8b7f5f4ee2db657acd3bd9c395fa561a27669a21ed40f9cf36dad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 e4b82021432532761b974e337ed0e76d
SHA1 eafe08bf9c38219e7c31f3e4de10eb378cd6a85c
SHA256 38a941ac9c4ecda3d20b0823e81f2521f8f61838f7d60b69998877c7fc95a493
SHA512 430707c940340ffba8ced7ecdee071d1a9b8d54437df37f6878061c6eaff06bfb44f04435e37b6f8f238e9aabb3c3e72e4b63f83cb51033ce5db452c78f75eee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 e023456a35e4353b8c3868db63d16c6d
SHA1 3b8080723290a3683f1727bd881596ee361a49e7
SHA256 32a2e43781542f1cc281b239a28335fdd1f429c2529b34a439ec1ced2f5b2edc
SHA512 c56e550d8341f15c08a6bba94fd9f3400aee5c3cc0ba68d3fb05c9be1c91b03268b544c09f9ae53dbbbf78d26bf7f893e3c26dd55824e7adf02da8a604a727e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 fd8a20ae034c688d34c65d0899328dd0
SHA1 d8d1418441e290da13c08a0a53842995c3431779
SHA256 c31307defd1c468c6351e78fdf977f2bad54d495645596af99834d55f596cbb0
SHA512 707110747b13354c6fa82d82534cab8b3b0dc3b06b94494a4ad576b5d28960f00e3aeadd6ac07b99a0e9dda0765ee08e2d6b6b5b2cb13deaae48043b506f1e7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 5784c175c748493ec5a51da8f9da01d0
SHA1 c9f43740413db9450c9fc52d985d9c4ce0429a35
SHA256 8353184cfc18a4a5b487fb6e5afd02ee6f5a625d27ff282437dd2c5ac3adda57
SHA512 68b4fba5938ea4f40d813ee28f18ecb4aa387463e9783394bfa028ca9e2ffbd98fe4a224ead1b3bc97d7fc8432ad83b7f219c5bc44185e79805251cfdce60c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2

MD5 3de57e3ccdd9b8db1f0e7c725bf2aa7d
SHA1 8fb59a6f70ae52073ac80d8ca234228aac77343c
SHA256 2ad53da1ca034894ed0a55571c739ed8750a35aa51b99f235e90f65157cb21ca
SHA512 920abb22be2f3fc0feab8d22361cb07c9bc0d3c4e87e9a8025bc95ad207d1783d80007fb884a9861be81a93c9936e23972b49f19d715861b9b669356ceed3eac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2

MD5 abb4201c4886dd3bcf0efab2ddb1d746
SHA1 3b80c690260b8a37e3bf8097c7e7feabb3b2ffde
SHA256 ca35befedc1df0834c585b1d70148e69aad8aa60dd3e4990970c551962e0f278
SHA512 a7a969d35ee68e3a8cd5d1b0e7d2d92de51c32cc8a2ae5b5b9b09ceaf455076c3438937204ba1bb06939f2c00da241b5a3e0257eb16db404be08928b1a40ed0c

C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

MD5 c6b9f3f79923b253424465b4055bdb28
SHA1 3744a1f6b0e9222ed6850d021016eca0b10bc519
SHA256 ec764c26475e1c9620b642c8807142bfdb72e85e1e8bdc87cdfb0e43f90a3b62
SHA512 ecb7738dcef64b3b62a708565c08a8302629a47fdd26f8630ba6359ba413e93b2c96719cdf9c8c5845d1f0d61a69a34dab84431fe6d93a249ab982d7348e57d1

C:\Program Files (x86)\NetSupport\classroom.cloud\shfolder.dll

MD5 e82daaf3a38c76f3e1cd3378cdafbd64
SHA1 dfbf9cee2aeac45881bcf764946f54ddc5014df5
SHA256 c1c03df6cb83b1016ff3f470513f7179c8ff0d7ac7a70f7efbdee13e3dfecb1b
SHA512 2ea546a44eeefbf90aada2275b53dcef14ee7eef193451f669fa7bfc9af0dfba0ba042cbc95e1557b51b22b2a26dec9ffd1daa5dbf17238c6c6852adf71ba9b7

C:\Program Files (x86)\NetSupport\classroom.cloud\product.dat

MD5 1776504eea61cb14d645e4ecf7f66fed
SHA1 5902f0fa83a830bfc9d1befa3583330354389a26
SHA256 ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed
SHA512 e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710

C:\Program Files (x86)\NetSupport\classroom.cloud\pcimsg.dll

MD5 0880c1c48690981c8d06831956ebf69a
SHA1 f112137e17e5e5c69567c431f993c338b6fc3422
SHA256 dbf281d1a065ea5e3162f01b658910a39f70f24523d9d6e0ea11535055120d63
SHA512 97805f65041d2fc8e2f49795cd2a9a9216dee43463112a7576e78bfb595e7b74da7121652e8bf6a8c04fbfde4c7671c4810b748b693a523d285d307eeeaaaaa6

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

MD5 183a205187acb2b5313800eb7200654f
SHA1 3f71e3722409a256ea8aba277e9b459906abedab
SHA256 5cd1f3b175ff2a492fe581ad80f83affac3b6bf17602a06f4c5f2368373a5774
SHA512 39b0ac5723df4fb480d2af1b4ffdbdc52ba3d5e6f78d8d33b954c36f3f69954645625278116a24691f5ef2b4ef0ee08e39c592175f503938fb4f5418c2d6f53d

C:\Windows\System32\cicclient32provider.dll

MD5 e02af20e191ff09db3c186066cc1375a
SHA1 0de9c222ce3568324603b2aec3057bf7ac8b10e8
SHA256 5d7ed783f3d533a687877da91f9d6fd8393994206349503d8ccc419de9ed9fe6
SHA512 df532d321c70512355e80821fe08570da1363a72ebbeb288ae91dcf3ee50544b1f9d4a1f895b1e1305eedc47ed0c6db9e0625cfbf1202d5d71d3516dd1a3fb45

C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.sys

MD5 35c66ae99109a44804f5ea8032d1377d
SHA1 6f769b861db4595d15733372fd4932dc226b72af
SHA256 f1b455de2ec03091d0ed0d27c7e8428931208d9b3fcfc91b13b1a3eb55235064
SHA512 55ce58e56a9dd1de898940bbcc79b120f1df87eb39a1b5882134478bc7f7cfa7ea3fe2038bdd573fa6a2930594f53310e8c3f02f6d32ad14af985d89174f82a5

C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll

MD5 f9cf2db8b99dc50eab538c4d860ac1a4
SHA1 b261c9e7f082eb8649afab9a677e022f84fd2823
SHA256 865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
SHA512 59660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d

C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.inf

MD5 344e5f94494802ff38fa02cec9ab8e02
SHA1 fb16f5357725ac40a00a608be0bc522c2b0544ea
SHA256 f6f1c23bf836f7773de21292e6aebd86568993f995c0cb799a63151a67e05f12
SHA512 0cb6e4ac146f4352249ecf29cfe7eb3c3105342fdfda8e6ca9e23abbf1cba179fa3a9f62b992ac700c65d6234a1679d3790f40ae948cc5e5b01443755a36f5b5

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

MD5 ffa0bb22a09efde0dc53cee4ad7761ce
SHA1 9213940d26e0d98afcd33ac3d3e021f3b99f50a6
SHA256 70d8dc0d4f6c2c88bef7f8a18da833ae9c99d6da8a3b253f12fbfb91eb75b7f3
SHA512 a2853aff65a297254188a2ed64ca9e1d81daaf037fd48a9d97764d1e8e90e294ace33fb4ee1151fce086299b5ced04854758f7fd6f16b5ebc25d64ea6f399f34

C:\Program Files (x86)\NetSupport\classroom.cloud\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Program Files (x86)\NetSupport\classroom.cloud\pcicl32.dll

MD5 6fa0e22d7e5d4ee737878290035a0267
SHA1 5099b37c049fa3a91a63611535429fd18adb5c2a
SHA256 79bc3ed1a07c0119719b7875865162293df573c540edbce7c08e47325c362dcd
SHA512 ab5b2d0d5b862c2b9cca9e9a1e3590281b5cf94fe69ca322e335e8d59d85efebcd098c115c5a4ecf1aff6dc0acdcddc6b68ba62d4144eac3044e0df4f4f1a39e

C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.DLL

MD5 bd5def2b91eaf52eba3a33eeb67cee48
SHA1 6cc6d4b8379cf2a59a770110d17b1f5a531a4a05
SHA256 6ebc2f4a6962793da3d7cffcda8f0246be8c9eebff3591d021279b482c08926b
SHA512 6f203908aa2002282cd66eb52d2a1473248afb92ae419d0d04352604c580f34308f485f9283a5b83aeb7742c2e9cdce6e3354935f226667cd5c2ba266430e975

C:\Program Files (x86)\NetSupport\classroom.cloud\PCICHEK.DLL

MD5 c82ffe193bfb7a4e37d84c6f69128054
SHA1 b3429dc37d021432e5d47e0a2eb087268e8d1e6c
SHA256 ef64a39c59562b1a731563b7c688fae45c3e8f355d402c7ebc80f19aea09f9ef
SHA512 aa3bc90c072c8d9da93e55d026459930338cc083491e3c42782adc4c06cd25f16136369c63ea3252cadee5ec62e3e3b8f06b1bbaa82a8f6838d6be3e36ed7b18

C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.DLL

MD5 3cb1b4875e0115df4acf16f2d9afc195
SHA1 1c869c11c8113b39e7291df1bc4283d6062be810
SHA256 97b0de6aff804f5634b7453b6b27ee5a2d78ab2781c9cbf59a45b8a2f6e783d3
SHA512 86ec315a960ad0223d35b569927df60939109ad4d9d1f20fa990e493fb3c25a2240196a9c852ecfd4967d01d4bd39f9f6e07dace2e70a50975fde8ee1c05e2aa

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

MD5 231413407e88a179ea9a7889305bdc8d
SHA1 d6031475fb06cc401352be605a4ef70c89a0c774
SHA256 9a70110c7d0d1366c21e5acc69498cc67c87aef96ae67c7fb37314243a23a5a7
SHA512 12cc1f4acec4159a86b76a08661ed8ce583b24ecc1a7da734e52a1416a02a330937cb1eae6b098fc8d7b69b89a651c54146de4185e6d8db4cb9790c66f658725

C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem

MD5 3cdcf8f9b05de85c7e7008e7f4a70123
SHA1 4f2c894e8c86200efcb93ad0ebd85296d48f360c
SHA256 27f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e
SHA512 93f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6

C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll

MD5 233d6c47b7c38c84c6795c3fe173525e
SHA1 02b87df7cff7f9b484f55c4e451bbd49d4f402ce
SHA256 9d6bd498a54d006a3d41499b8442df15d4e8ef5083cda4ed4620014ce057989c
SHA512 023a184f978ddbf8be714ae1437bc1da59fdc5cfac0e1ed13befbb09004951312a8fa7d30fad66e6641ec3b0ce0568c2899f1343e4f6da9ae23d4975c82063f5

C:\Program Files (x86)\NetSupport\classroom.cloud\cpprest_2_10.dll

MD5 98a75771d452d5d5fafb9bdc091c512d
SHA1 67a0e43a56a15082453a9d4940e832155a3057c4
SHA256 fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72
SHA512 9dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39

C:\Program Files (x86)\NetSupport\classroom.cloud\MSVCP140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Program Files (x86)\NetSupport\classroom.cloud\concrt140.dll

MD5 092b95b9308e2827a3b1598add0e306d
SHA1 10321c34bbe5982c3005188afa94d1ce73964f2e
SHA256 a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f
SHA512 20464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\admod.dll

MD5 f9b4a682ca1fc4d2ea21634a034edae7
SHA1 28532ff051fe208d1d75e3bf413cc55a65d128a4
SHA256 c1959663aa2fd4614553bf14bd0805455b8140e8c271b9aea01fc00339ed63c1
SHA512 3067c7a0ea71873f68ad7b830283d3a4de5e6db161c2701c1b1f80eb6b747bb511cd748a9360127afcf01e87bbd8c39862fbb8b2ddaccf403a79c2b382d850e3

C:\Program Files (x86)\NetSupport\classroom.cloud\vcruntime140.dll

MD5 8e65e033799eb9fd46bc5c184e7d1b85
SHA1 e1cc5313be1f7df4c43697f8f701305585fe4e71
SHA256 be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4
SHA512 e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

C:\Config.Msi\e57c8bf.rbs

MD5 ad623b1bc9eb4fcf0ab4a3c9f7d8060d
SHA1 cc6f4d324401cf304cc1a74a1af9f169a1c604ac
SHA256 3e80d45bbc1d3604f827ee027c8e0552f26872c3b3b582e44196ee06a9824219
SHA512 23aa46c3df2621897845895784ee27aceb83d3e0cf787b396840b004900453232b9aa95e017a99f6e5c961fd62da0f87e978f7123c1a154c8056d38480aed7c4

C:\Users\Admin\AppData\Local\Temp\{88AAED09-C36A-4C45-BD5F-4A1FF9A03FAB}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

memory/5408-564-0x0000000000320000-0x00000000003E6000-memory.dmp

memory/5408-567-0x0000000000320000-0x00000000003E6000-memory.dmp

memory/5408-566-0x0000000000320000-0x00000000003E6000-memory.dmp

memory/5408-565-0x0000000000320000-0x00000000003E6000-memory.dmp

memory/5408-570-0x0000000076910000-0x0000000076B25000-memory.dmp

memory/5408-574-0x0000000077B20000-0x0000000077BDF000-memory.dmp

memory/5408-576-0x00000000762B0000-0x0000000076313000-memory.dmp

memory/5408-588-0x0000000074750000-0x0000000074837000-memory.dmp

memory/5408-592-0x00000000746D0000-0x0000000074742000-memory.dmp

memory/5408-623-0x0000000071300000-0x000000007143A000-memory.dmp

memory/5408-630-0x0000000070DD0000-0x0000000070E8F000-memory.dmp

memory/5408-629-0x00000000711D0000-0x0000000071201000-memory.dmp

memory/5408-628-0x00000000711D0000-0x0000000071201000-memory.dmp

memory/5408-627-0x00000000711D0000-0x0000000071201000-memory.dmp

memory/5408-626-0x00000000711D0000-0x0000000071201000-memory.dmp

memory/5408-625-0x0000000074290000-0x0000000074358000-memory.dmp

memory/5408-624-0x0000000074290000-0x0000000074358000-memory.dmp

memory/5408-622-0x0000000071300000-0x000000007143A000-memory.dmp

memory/5408-621-0x0000000071300000-0x000000007143A000-memory.dmp

memory/5408-620-0x00000000714E0000-0x0000000071963000-memory.dmp

memory/5408-617-0x0000000071C10000-0x0000000071D10000-memory.dmp

memory/5408-616-0x0000000071C10000-0x0000000071D10000-memory.dmp

memory/5408-615-0x0000000071C10000-0x0000000071D10000-memory.dmp

memory/5408-614-0x0000000071C10000-0x0000000071D10000-memory.dmp

memory/5408-613-0x0000000075780000-0x00000000757A9000-memory.dmp

memory/5408-612-0x0000000075780000-0x00000000757A9000-memory.dmp

memory/5408-611-0x0000000074960000-0x0000000074F68000-memory.dmp

memory/5408-610-0x0000000074960000-0x0000000074F68000-memory.dmp

memory/5408-609-0x0000000074530000-0x0000000074568000-memory.dmp

memory/5408-608-0x0000000074530000-0x0000000074568000-memory.dmp

memory/5408-607-0x0000000074530000-0x0000000074568000-memory.dmp

memory/5408-606-0x0000000076130000-0x00000000761B7000-memory.dmp

memory/5408-605-0x0000000076770000-0x00000000767CF000-memory.dmp

memory/5408-604-0x0000000072AD0000-0x0000000072AF6000-memory.dmp

memory/5408-603-0x0000000074370000-0x00000000743A2000-memory.dmp

memory/5408-602-0x0000000074370000-0x00000000743A2000-memory.dmp

memory/5408-601-0x00000000740A0000-0x0000000074131000-memory.dmp

memory/5408-600-0x0000000072CF0000-0x0000000073140000-memory.dmp

memory/5408-618-0x00000000714E0000-0x0000000071963000-memory.dmp

memory/5408-599-0x0000000074570000-0x00000000745DD000-memory.dmp

memory/5408-598-0x0000000074570000-0x00000000745DD000-memory.dmp

memory/5408-597-0x0000000074570000-0x00000000745DD000-memory.dmp

memory/5408-596-0x0000000071D10000-0x00000000721B8000-memory.dmp

memory/5408-595-0x0000000071D10000-0x00000000721B8000-memory.dmp

memory/5408-593-0x0000000071D10000-0x00000000721B8000-memory.dmp

memory/5408-591-0x0000000074750000-0x0000000074837000-memory.dmp

memory/5408-590-0x0000000074750000-0x0000000074837000-memory.dmp

memory/5408-589-0x0000000074750000-0x0000000074837000-memory.dmp

memory/5408-587-0x0000000075AF0000-0x00000000760A3000-memory.dmp

memory/5408-594-0x0000000071D10000-0x00000000721B8000-memory.dmp

memory/5408-586-0x0000000075AF0000-0x00000000760A3000-memory.dmp

memory/5408-584-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-583-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-582-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-581-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-580-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-579-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-585-0x00000000760B0000-0x000000007612A000-memory.dmp

memory/5408-578-0x00000000767D0000-0x00000000768AC000-memory.dmp

memory/5408-577-0x0000000077BE0000-0x0000000077C1B000-memory.dmp

memory/5408-575-0x00000000762B0000-0x0000000076313000-memory.dmp

memory/5408-573-0x0000000075A50000-0x0000000075AEF000-memory.dmp

memory/5408-572-0x0000000075A50000-0x0000000075AEF000-memory.dmp

memory/5408-571-0x0000000076910000-0x0000000076B25000-memory.dmp

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc

MD5 c0b213079929efb3571a0d8fc1645909
SHA1 197184e3ec72e9cf6a2e6b0dfa6abf39d145b90e
SHA256 64608d9fdb41cb2f89c86a5fe6117d23f7b9b134a965ff2294c94b99640ea2c7
SHA512 fe52eaeacf68a46c4acdd529ed7677f498a41769a731de37218e3e0313ee57a81a1fdd87af16f6848b0e3eab2184162bc9dd422f4bd17030388265ea9d62e2b2

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_pl.enc

MD5 21b301bbb8f88d75d893d475d8f657f6
SHA1 33afab1c540a11269cc5f46c9a3270a85d460958
SHA256 5ccab2b8a6fead9a8790f1a109d6f6b8974ed3c99c3778d4ce9b1b3d58968748
SHA512 b584564a1cb9204bf23f3f20ab2fcb7525463c9adcf1589b1eced7f7cc0f32128016364b1ab638546001bf20b430d56c87168559ce34c3365b86385563a35bee

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_nl.enc

MD5 6cf754a46adcd324d7c93593e2d22518
SHA1 f3d75e427bf61151442a129fce70c78a4937cc79
SHA256 cf5eaca01cdbc596fa6d49bfef07f94a9e21b9bdcf8e661fb777aa35ffa43089
SHA512 0e44bd204daf8ee0ab225fe0dd828cb1e78a81725f3ab2d20e85fac1a0efa13ff2196433149ca31626be59780f7a542e9f917d752fc4999e018cd411b406eff5

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_lv.enc

MD5 12cb5b2c2d6acda63bbdf7242b8c38c0
SHA1 20eb3eac8df0266826295f8c2638d5a6908132f4
SHA256 63c7b0401663812ed8c9c78b84b44d603b62e48d395542efe3394c48dee6582f
SHA512 a65886565b6242d56ea438ec000568eebfefc188099d25df4cfa91de2f51c07aa1862ae7865b6fd16b621cfd3f0567bdc738437db4a7d4692436f86fd20e10b7

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_lt.enc

MD5 5a604969f3e3635fb05a95ead6f6249f
SHA1 c9650a7ba71b6a81bd805b2970eaa509f7a1a8fa
SHA256 412f367ec28f2e76939ff86f1d0f269596a4885a4bdcef26e5295e75917be429
SHA512 c1e07bc1dd47cdd07724eaadd35f46cbb5bcfff1a0cad4c16ec23ce9edbb9bbe69100c86937dc02718bd1bf3da4a22c9736d497c0f1d29da180f2608a129e904

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_it.enc

MD5 fd1148acce98cd2d51c3f97c8c3c14c5
SHA1 ab1b65ed5bdd8be9978578f639654f7de3f1209e
SHA256 81f52395f8e25205af1133c69dea1cd40a9c55ed9e15b374260f0b22a7281e42
SHA512 ef9d9d1f585cc96ffaab4fe745770de6394ec2c091c72760b6f0b7c69a82b88e5143affae8fcdd0e514e680354573dc46ce4d308e5bf1918f93b0aa896261420

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ge.enc

MD5 182a16b7281dafe1f3f18cdae50517b3
SHA1 a1b09ceea9d4be113774091afe6c64f688d14777
SHA256 e8f264a5cb5376c300fa151c7bded92d410cbb76aeee67772e240daaf7208255
SHA512 76dbf7ec2235a86cbf56d4b3cd943faacff95861786cff53f50869342883e1e7d4933ef20dfb1d081e41e2509c5e28d7c7b8757e44f1e24896a5dfff4c7dc1b3

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_fr.enc

MD5 8115ab34ef0cc4797b814378d6e5d68b
SHA1 6836e7ce359605459d770e07c91b9055ae11a6f9
SHA256 d84f5e874237c70e4f5643b4e60fbb20e2a2c6e2510e7c169e9de53b6676048f
SHA512 4622e8fa15740f7269300741645052bca226162794886dbef05b6860af5dc88a820d4b9ff0f2344736472cc2287609002d5829f8481b0a15e18a029c265aa9c1

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_cz.enc

MD5 a61e06cf390215db0cbccabd20a88543
SHA1 b4be0f456fbc5f143344e2563f167a32c418d739
SHA256 7039caeac8385590c84003fec2d373f9dede911d853206743236ecd65f493e40
SHA512 f99633b056ca0b3a167e386a9d6a44cabf6c5383b48698f9ac5e1b28cf88280058ae62698a2d0e1175bd623f558a51ca520d6c252845a0d8fc7998a36d81a380

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\Phrase_ar.enc

MD5 0501c0cb6cb497ab6bdcfb4424295442
SHA1 d31d676024be5459f0d74a92e7bc22311a6a0fe9
SHA256 73177341059297bf68283667bb03e754d86e8782a5a3b96e55e7d2b7422f6472
SHA512 0c16c620117d1b939f9a09bd6e9eb6cb2022016a15e36ca93b0faa328a11345e308795c3e96eedc6379c296dad7da505cb6e05be02bca1057d3d478c1bfc131f

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase.enc

MD5 d49157eb1caaa84fdfac88628f8134ea
SHA1 ea22715e2a9d66c74ea55b6ffe46a1555b612356
SHA256 e8625a6883d63407c2a7897f93701bbc488db0c2b52519b8be2b6928c669ab6b
SHA512 80c32dcdf64f19c316adcf92b9c5ca2dd6d50607479b1c43058226c8b4ed9a219087d246677cafe534799bef28ab3fc825cd3ab14db7792bdaf677c6aaa73830

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_zh.enc

MD5 c8d510b9e1b084333f40a054d404884e
SHA1 67ee32911115462be0b0aebb728cacc5bcfb5b88
SHA256 e2b3503180fa40362c1ed983852ff32dcffcc71fed05d3197c7a9996eb820f85
SHA512 bdac6796fcb7f00f84375cecf1a5cfaec39afbb78956514f5a7d2c0b7b8bf55599669e571cfc856cf683dcc8a417b19bae99c76598594c9cdd647dc72ebf80b8

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_we.enc

MD5 ff4999b039e8bdc4bf2e94f362617b16
SHA1 4d3861a3b77dcf59f774257c54f62a0d51d328aa
SHA256 82ae7b76091d42f0a59b53150b184bd77f08ecb085e5e4d608a757a85dff5928
SHA512 6b9c679b1c408260bc810550b2e3b3619f2c8aad2cf9d5f0517806f1c216d5cc0a2c314ab6d1a0492306dff0086fa0edf1da4ebc482e16ffb2250a59bd235c6a

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ur.enc

MD5 117e651c518b35cd481eb176a960bdde
SHA1 882bf297863f1ec7ff344c81c07ef1ba5fae3c18
SHA256 a5be60b9aad89d39d65f0a354afc3fabc9e869a8dd342a3a70abe1b2312e79bf
SHA512 fa611903e6f2f43f3650c58ca7c879eff86626b641746a677b5729dc05570759f8f3a6e793967e713a96ed2afb25583a46e458a4786d1a44ef5a78da768d8017

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_uk.enc

MD5 7a858a62fef9760a753b9cb07716d40e
SHA1 644690afab612beb06a22b673fb024b14f341c15
SHA256 6aa3e5de0a176d25570fc983315089a6a66a228c6298bd020de424120216edcc
SHA512 5dc76020b04764ad268d52ee4fd623d40573ea9e9fee831acc7dc9dff15857d7fb85cb6260ac64fde718d6874759680e533f7391ff02e2e1b536eb7f96192da2

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sp.enc

MD5 e577c17c4891f703630d83a5315abf6e
SHA1 91a0f7f86cc1043d6e8abe8930e66bcaec890865
SHA256 c57c19305cea56e33c7bfc204379d20ac359ac84da737c64612a91481acd068d
SHA512 ef8f985118eb0b8da75516e9ce097e16bf0da05fe08d51b8d48cce6c61f3a09f44f5b41cf76a116b026e02546e686fb3b62042c9fc4c5c993849fb9272f4f2b9

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sl.enc

MD5 5341bb2685c89d671fa628ca8c0def05
SHA1 5babc0927c18d9a37987e9c23ddc950951a59c0e
SHA256 536e984e070427f4bab27023def839c8c58d834acfb72e06c25167b0540b1394
SHA512 20567a4a3d215ccee097ef94e521b70c9f8eca54983103f4469aa4367b426afdef954fca83dba9305d48201682c37eed845886761e1ffa0023b8b0768ccbcabf

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sc.enc

MD5 bba65f31222c17a1853c5fb9a1ba4e51
SHA1 24941c2361f4db7aaad352103030178d73a39206
SHA256 2d5334ceed6b603e3d18cafefcffbb1c85694202625d23fcdcc23615e31b185c
SHA512 bf08cd5d78a70b5f313cf736f9c01d9225ab6296a5cf3b411fe39ece69d9f8caea0cac16cc91d610ee61fe0088bcbc1f271478fce60f2aac7b2ceae1f849a632

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ro.enc

MD5 212b239eb6604dcac0a301d6e14a59cd
SHA1 d70eb5504fb7b27295597abe3de9cdbcacd03f90
SHA256 f2157184a435ad69adcd4d8087b2839707cc9ac33b0f927e8b0de32c7b16b0e3
SHA512 b4b3df80bc9d553035633eea773a3c54e4f1e11f145d71573bbdd90090420fab4c3d49edeaed5478348520110c28dd2cec626640725c323f0f1c394802c9597c

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\bin\SysQueue.bin

MD5 c4103f122d27677c9db144cae1394a66
SHA1 1489f923c4dca729178b3e3233458550d8dddf29
SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 671131be7ba3ee137a9388526128fa21
SHA1 a714c652bbdc792d00e2ae614bd4807f476aaf63
SHA256 0127ae2459a3dbb976b1c34b8dcc887d19ec30eb6f58460ca1a27520ffecc934
SHA512 d50ce0a4c830272422a0bdf4b61b2072c98d0e7ba9662d662f703ef7a03b8e79740d9e6f74acb9a03c30a58d5934cd9f653e9dda914150df9eea8a26458f3dac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1a9860d0a63f7df89e69a55c181657ea
SHA1 491f18fcf7320563329183e5b7ce72dba250cbe8
SHA256 7d6d6b6a3eebee46dfa220c021bb383ff9457706c4d700d4958c8fc71bbca8d3
SHA512 2dee55713683f114f393ea12851e14236ecffe2d3e986dc5a57f87d2fa74630042234dc8914e065720ed8a6cc7464b6ea6ca7df14a8842247b3b131b6dc5f946

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 f1d1b212fa3a370eaff1c8d58bc45cb7
SHA1 d3f3c771f8b3b1c63a81353775a2c48a6d8396cb
SHA256 430c0d8896acdee0da3de9668485e3aae1a365734cf2ae451a8d24efdf900d6e
SHA512 b1ec95706df2f980b1da3a89e5c668699791df3f0c92fd11492fe483563f961aea1bdeb38f9ca3cd08e67ceeab96a35531824f6cde69f2b9abc047bdf19d6388

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 a4559319fbe22fb4da82a097827de78b
SHA1 0f3de1829e4992246ca24b30384f2b3c85c6a780
SHA256 a5703c4211fe7f7357b398f6cfaae0f492429154e30f6463200b8a4837997612
SHA512 dd1e4bcd9c379b7d1f9ba55f26fe266c5836460f99a2eb2437a312fea65360f9936c8e6525f88d31006cbb5b3028b27fcd56ca9a74c2ab6f4f1077fe7d588beb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 4ca4108600f11999de2bc3b9bae7e627
SHA1 8dca62f12325b70429d4024b63389ba182e29e05
SHA256 e486db8cacd21a271c2b084af0d35f294fe73c399f21431272e749bc9bc27703
SHA512 db3f757424b49eb9f5c59eda78e3121a0334163609020df9c14893ee7ecef44bf5f889f451085b7c5df066cbf00bf7c988c076d921053a32505e47f84caa8871

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2dc8ee210e55476175626703693f90b1
SHA1 3a484007c4718eca7dff53f1866e7202c123175a
SHA256 5d23c980b58a0aa2b3be11d3f9a12d76eeed8c8e5850e859ee0aa4007d3b7d1a
SHA512 ee1a6b9896fe16edb9e84acef706a7924c756e076483460fdfc46bd5c4bb80fa32288c95dcf42db539d638c0012fd820703788f1c33328c9d8181b9dd1bd3c35

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 da9fe265efb88831f7f843f6fe7f47de
SHA1 06b194e26193d6d9f41261c557891c1a1b934015
SHA256 2be86fbf26189612bc182ced03d462ebd40a1cb7dd4abcf2a1047320a32653f8
SHA512 11dcf7d118bf637c727de9f7b90dc20e13da57f2630f2c0dcafa0c4df00268d0d9507bd95a1486fb63af43816cb052d540157b5337cbc21e97ca0e213b62f2fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e245f136eae0910af788818da98e2472
SHA1 c068b135b16c280fe7264b593296ab9db194c844
SHA256 d5b0d1b1efea010af55b8fede2065286861bd2a3d3c0f40241d3146c99e1dc6f
SHA512 359178941502edc12ab976b4e40bc5ca6d5d15f86e0bb8abf31743f67b4ad1ba3a76e51a5082d14de2a8231adbf17f747fb22eb41a2c2e57f11832f7131a0bb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 963dbc0902b7d11472bcfaf0c7f11cf7
SHA1 b0933fb9a7250479e19c7c6de868d84cfd7bf981
SHA256 83fc398004b286c82d7612bad35445477cb2e6b567ea2cc03c80878bd93ac90a
SHA512 761c7b74087e6b7b106e3c0ec08ebaad4e1ca95fa5cc0c04b0ca0b0d35640c7535e01e3b12bfaaad74dd7f5d5a4a53c7bcb53e49ce19e1f56c076de51c7fdf74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 b85bcd3ee796bf8d8cc52cb8dd5ab6e4
SHA1 b1666e9ec862d03a5ca8509a0758aeec81a21a79
SHA256 94d65a384445486663a8ab92dff67252f37cfa9fcc8e3de6e28e40b6de5e1f5c
SHA512 22195a341d2e8dc46d070d43467de93a7f8b603ffcf3fef4b8fce570b21292414e4d05294afa0a59bcd660126aa48f105762bd17ae96cc3979c7994c3c477a0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\36fc7fb0-4b00-47fd-a2be-bf10b1b92d0b\index-dir\the-real-index

MD5 6231c3c73bb184989c463977297f96b8
SHA1 433c55449d96ab79bc01e5d29648d8b283fead8f
SHA256 cfcafea1baaf74fa4e577ed95be25c7d344299a7c14fcfd3d04f5e6869ec222d
SHA512 abcacc5ceadc8c224c3857d505a832eba278c076c340722189ba7884bcf377791632ef597aa2016d2f094ffa2cdd8c06715c00c9b14e2461e54a2353af1a75b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe60f66a.TMP

MD5 1b095d2f4aaf390a5d1741e445401c07
SHA1 c5bb6b96e08e6c42713207bd98c6dbe5cce02823
SHA256 9618de9b397490fda20860b3949c03240c93e2e31400d9d1a65acdce004336d1
SHA512 d74cba23e514388a32abe62aaabf4cd81ffe67b9edbee29864e31b9ec5df342cd33d569d26578dfe089c0eef8eb23688ffeb18dcd79e5faf9e37ca3ff6b22ebd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 31ab342461e78f83012948f34ecc1a4f
SHA1 4b926521a96df0742164811034ebebea84f62594
SHA256 3cedf79569f7fcaa65201087aafa3826492e8c94ddc368ee3a11c7068c460869
SHA512 3d6d0fc9e6d482e15cb61bcb8681134e6a074fe1bb00180f1bd7c7f734d144c8349713963db43e20ee77c191cb9dd3af944bdc55d1dd167b5ed96ce09b7650af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\95ebebec-c29b-47cb-9d8d-df2d34226b29\index-dir\the-real-index~RFe60fb9a.TMP

MD5 52084b4b5ce2e27b6295b7519c02121a
SHA1 ab38c5f3eb54b1e9c56b96e3a25e7735b57b365a
SHA256 1c8c99775cdbc4e5d979daf38bce3b1de4106b4d52fad0f49afa6e4382dc6025
SHA512 9c85b886794d25cf61023b04c490e0c4e9fb5dd06aa61ea619052ffa68c68029203611cd90309377949785991e9db2c85c5e24abad0687b6416741e41b6eb27b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\95ebebec-c29b-47cb-9d8d-df2d34226b29\index-dir\the-real-index

MD5 3df341a840fd460289915a2fc1de867f
SHA1 7314f9878142ba234fbef4f87f692c26d3fef47b
SHA256 8837c13c325082906b6ec47ca52479d6dc12932a70dfa7638f61b7ed1d30d012
SHA512 6e740183e7c2bb51ff31f2d6c71ac3eb04ae24e10cd72a06484b82f6d17ab36b5f49d8879871bc3040f5e5d94af45d785f977d5799391b25215efa66e2049a9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 087ea015c5957db7a78acb6a4a6f8ef2
SHA1 280dce5eb33202b8c53f3d0fa2ade60fe9302ae2
SHA256 bb643bb8fafc6bafb7eabf0b583b50d9b4d7703edf4e258094c63d13056a61eb
SHA512 64b98ebcfb35141e40edfaa9d2336d01a709b83c6d3e2ffb101836efff94f92664e625f8fc43d1a6d62603daf7077fa4af734967343bbd333ae0481ebcf1b8dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d3f0b25ab1dcf259c4fb84e55011d19f
SHA1 350b9caef5ad871ec26860100b4a36f671943145
SHA256 69132b81d39c2ac76fcc376bb4098d49aeb241f7902fc9bed908d46a465574e8
SHA512 9acf159eabd754150839a908bcbdd71c0c205cee95f1aab044a729067df80a74050cf6069e65985db09840020b9750cc0c864a0418ba15467dc78f5a1e5010f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b06aaa79c55b3e0454379a00bbacb72e
SHA1 c99c42cb6d7289492570f2cf491a1700d6a474ca
SHA256 480b72ac4c71b7ca8aacb6281f080f57c6a9ddfc54bc5dd4a480bc90f475c673
SHA512 3f38260674b3b976980a5f9e2ac3a8b754b1d3d6641ae49060e837acd08abf8cb6d42b7da4874cd36c1089fc562eadc19fb92101614e17b6f2bac4e444181675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\devtools_devtools_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\scoped_dir1756_594883867\a1efa1e8-c0b4-4142-a1de-15a96c04b745.tmp

MD5 4cd67032e35fa92f5182df10df289906
SHA1 9210bfc66bd808ffcd7c6443e160dc8d6754c416
SHA256 efdad7555293ec2d14399c2c2fc9d07228de1f6e3746b27da621b76fe5ceea07
SHA512 f3d83f6e77e4568d2dae539c95acf0a886926a001b4d80f0ea602387530fc333f688ac031b3057e1c2b0375426cf47ae33315f7da9ffaec601102be0bb7221cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

MD5 3b582f2d3e620cafcdffcd2a1d2daacc
SHA1 bb77f2d0a185f626a3e40dc5f0f97cc2e3db37a3
SHA256 837cd42ef6827d823bb3ed3270b7d5f72c94495516f0c41cf9e3096b9ba38b94
SHA512 5f6a62b6980076e5b09799e42f6d1bfeedb44c468157801bed0b24b15af515562750349fa115a7bbdc26327807cacbe810132d4df0ea46a8276463f8d0b34a35

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe615728.TMP

MD5 a9dc465c7d850ee61709dd9cd567652e
SHA1 4eb0264d83e0c614c458c86d483aacebd0b596e6
SHA256 3e792107d2ad3ba11322a8e00a62cab611b32ad6e989721cda486debc3f44537
SHA512 f25069ae6f2e6d052e089edd757c714ff4b7b02746668c18a15bf8a87396bac14802d92da6d71b36c71be4bbf0bdc3e2f9bc4f3f85a3a05fa4d549f5bc8a9a91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\babylon\LICENSE.md

MD5 e57b8dbca804bf4a2db759fa1a70b3cc
SHA1 8acc131b3698964249b08a0178f7c8c467337048
SHA256 4135d3051e1bfdccf0440f6d8867a6dc1e39587694995479c3e29826e53aff63
SHA512 d2ca91851daeadedcda21ecee4cf7c9244cf21a15709e472014ba6a332a374cba80acd165b2650ce2c3994c7d0156376c22db00fe0c47833e0fca466bcb8c627

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\babylon\babylon.js

MD5 e1adfd8f62854c2d9ce65f13268c1ac1
SHA1 d564ea1d59305bbec12995ee43f1c28838e82519
SHA256 b5a426a0769b378e196ab2698c14a326d86ab2443010e16e4ac3cdde06371e6d
SHA512 ffdf74b8bba179c7d5d6d49205b8aebfc7b27395852d05f1ae5de5c23b5dfbd87776f2046fad20b652a7663dacf90da0336a802985bad14ba3591bbfd9ca4caa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\typescript\typescript.js

MD5 d931cf27eb964f239e5bec661810abf5
SHA1 1616508213014fa7cdb50e691cf737169019c6ed
SHA256 986134e07f34257fd85c084441c825d7d8951705a0b8c76b0d7c5499536cc959
SHA512 9c2bae1025c1c9579e5e7ba8119e11bc298bbf968aaaaea94f12b8a96155f63bcdbce60deb1445c484aeef3fcfdf96156fc804c2867726617e7b772440989fb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\third_party\typescript\LICENSE.txt

MD5 f632dfdde0adc0da86f701c6f2df38af
SHA1 5a7612b4d9977a7e79f60e88df556b09a90df828
SHA256 43692cfafa6a5c09136cfa0138b9c78efeb56ee6b9174553dbf704b888771f6a
SHA512 87722a2d675028d18ea276dcf18c24e891a0bad5f85f7387702310976d2fb8e1d0687321b0844b6c47947e6fbb489fe08bd1ffbe9772955ac7191ba4e274c8a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\_metadata\verified_contents.json

MD5 c7182c4ef7a2cd6a57e48d44bfd4af9b
SHA1 2e1e4746da948d83baf4bcebee618784f8ab209c
SHA256 6f64306515428487987fabde07ddf1646f64ad4e3dc4841e982d40ad91459822
SHA512 d8af16336b66e4f264eda4ea68de4c1763a9c9b99635184d9ece67a9ed69a09bc1088bed254b3d2a8877ba3218e043065d1e4a06c20f18b58d312d93fb84bc83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\manifest.json

MD5 2cf796650e5ad5bfb6c4a421d81734be
SHA1 79298d3cdd584b290d825d6fff4b857012e71992
SHA256 fea905b763b26db02673c6ab14f422b21eff64de59351f0818b501dd4e7f9430
SHA512 1ee7604bd7293d6296cf1368ed0dadaad7359f4d00be75e7730a9704b2205438a06ba7361554437b3e6ef352482011a90500769ff713949716c24355ee742e33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir1756_1244622248\CRX_INSTALL\filelist.txt

MD5 3bf6b4eae5af15288bf0d79702f9cb78
SHA1 b8a052dc4973757ae865661ea0300dea1d27f3b6
SHA256 543c0e50c16159439d3dfb3f1151bc64e2f5b60a0e3824c5f93c4c5c14dd945b
SHA512 25e2502ad314635035f303aa1f0f195c28af91d0b51280e5a4c9310aae65aad857073137196f41a9a2fd7ef96e54ce9b329c448d5acf87b10134168ee7652c0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3897add8f29df00e81562b0799cef05f
SHA1 33164e3cc1593782416f3f7b0d67c204594048b0
SHA256 83d918ef0c433f2ec5ec9dd452c6030ffbe7f3cfb9ffb18a54347a4665598cff
SHA512 506f50a53fb89e044fdb520e032a919a9d3f77ee10034f6b762d1fb3b688e78f97a872f4287444dc2e260f9523b88fc3b4bc973e0dab0dc427c421da8caa5daf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dec31523e93eb89c5413b65cee25327b
SHA1 0ece56a2350174e96787cc817d7dcfe3f2b7413e
SHA256 4dba5edfbeb00cf29210c320302e869c5b9428a669438a56092850a74232d856
SHA512 70d4597d8266b0d9424ddc3ad439b885afcb5a48e2bb831754b6ce092f230c1010cdc9a562aa0bcdd728dd77eb7b7f5834e1d09bf0f011c7ae7c0ee0ab846d31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 7f8abe6e55d2723e9c232fabc0d30b01
SHA1 04a41d4202fb27282e70a5be271bbd774f965537
SHA256 1c7981789ff6261766ae5d204ce30eba753406b24e5ac4165c29ed8fca7175bd
SHA512 397699e7b0ff2fe137ba73efaef1b0ccdd3398b6452197564d0a867736ca9eaaf5575b8b66c1c717798d834d83f5b9f163bb01a0da58e57a95362ad72b3802f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

MD5 2a16891dc6f1b5cef8c97fe2975889c4
SHA1 2b4fc0e7ab889d0efd2600cf3e2e01c5eb9146a9
SHA256 4be7abe72bb0dbfed4ed77abbf669dacdb0c7cb2719e3e293a2e25d68fdd55ee
SHA512 47294dc4e2a798f75b7bda563db93e9d264c775044b66b6ce5fa7c2cc1c781d7f9dcd5b2e2d5a52f0f221872ab218883ee259eed77a4f3d93c0376e3ac7a31ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c09d2144-a007-4717-a74e-c9816be45657.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync App Settings\kfbdpdaobnofkbopebjglnaadopfikhh\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d143dadcd7b2ddea3618fa997311e402
SHA1 eda1c78e0873f3ef60d084f57eb701d3973cefbe
SHA256 710a5d1d254e8506f3de4ae3a00d4c37b4288ce243ef6f540fa98e1c81c5aa27
SHA512 e65001ec50b45ae54d738424708fa7a532493f9424ee6b69a57959c82661422a6eea5728788563641b77cbaafa3a6ff5140c5cb792bbc966914910381c5bf6b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

MD5 3fd11ff447c1ee23538dc4d9724427a3
SHA1 1335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA512 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9632ab6d-daef-4b45-8e34-eba1e9068056\index-dir\the-real-index

MD5 f648935b42dd95f7d237240f09433b88
SHA1 942450c85f3f1c014936d294013a82135c7c612b
SHA256 bd9b0b7307a65c9bf96e2cef171776369676cff5c14598a2b8fa6f4f591e3603
SHA512 87a6c5de0ff7a404f3a1f4aa78c688a69cdb33f0d352d0fe26877067264b9878f741c0f58058b604625b796e0ad5cba4a3f8f43d44db927f849f0510738d25b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 11d0a713aaba0cfb4419433b53fea6a2
SHA1 11854ca283944af449f5aaaa7478e82b256fc553
SHA256 025af480ca2d3b3e2d4cdb1a3209f20ff42aa667cf00fcae20eb4f825e1bca4b
SHA512 a8b841ac7aa2b49ae2e31f0fce17d16b48bdcf62f2326a97eb636bcbb4f5c2c878336a4cdb31018435048042554e745ab9f1e5fe67380304c1b385aed7588904

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3c865173edfa68e9e0e088fc8635f460
SHA1 cf0f659f9502a004ba46ceb8e3592ed031201699
SHA256 f9984856d4980cdf54813d24db693ec789376410fa2d1d2ed627e3684a3f4243
SHA512 724a69a90f860fc8525a96b169589bce21641a38bc4baddf08e138fa0274bfab777f21303b94149727d23949af0eeb880f0116134acff74419a31420a880d365

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 808f82f4743c688a5308e65192d30837
SHA1 77e615dea348b18512160c86a4223ca99956025e
SHA256 27c659712c6832709fefb2ae5405aa54cf49c230c84a00fcf2bc6e44cc832a85
SHA512 3f87556d84babac18ab8bcc7599b40ea148a25319a90dfd3b36b24aff5960ba60b0dc8b48ea122c1d936903c46e041e2dfe251a33fc1020db4e943d0f73cdd9c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 0b4063f834d056521d776bc95f02adf4
SHA1 1d4bb661137f2f1dfe50ef1f019cb5b6dff07ef0
SHA256 3aa717a56e2afc0474d703af8248e2e940f7fba4e34c5e3bf110b5ef6d1a1ac6
SHA512 d92696a13d9a273012e37e4784fd3c47c1e027b7c33a5495b0bc60b98ecba78af844bcc1cbec9153e2611d8fbadc96054469b44309f069e390a0a49fd2ffbf80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 3836592b909fe3f890348c510fcfa7dc
SHA1 83b246e3718370bf4d6a935a856dc9b1b2004bd2
SHA256 a9ce1da34ed53e2659e23d2eea6fa8783378b3c4da29042b2b8fff2b0ae1b1da
SHA512 71a01bae48687de7d8ced2d30f548be8efee344426bd27585bfc6f52dbe1d25a1df3195a370281b9e8c54c46494a2cea257621c896eebce7805ec80321d1c42f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3dbde6d3-c6b8-45df-8bf0-52a53611ae72.tmp

MD5 908031e0a6b8299e77b7e6773662944e
SHA1 7b90a7e78e10bf2a8c00221969a2b8be91dcc26b
SHA256 130bc7e85a534bcab544b5411078319bbc807557e9fb4290841ff80b27d91775
SHA512 043c2bc46b943a3f5e37f1a578a2b449bf922bf09cad82c0bcb3fd1b9ebbb7e669028d1ee3150e82246219946fb48d3abd869e52916a784f7f11ca46bae77541

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 6322da7a0ae6ef520816a82a8fa0af72
SHA1 001e6e29e0d0e01de196dfcd5b39d590258fc55b
SHA256 67683a8efae51faaf9e7fdebba39c907935b92f3ee714ffd0a57e871d8d5a205
SHA512 82937ec67a2bfa7bbe89acea1ede67ad3bc0e615ff108ed141b2f3f10bbf8ea9438c2e4751e4f45b6261b37370a4406b615b0af3c66e8464b47fba9ff726ec04

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6e658ffaf65cd783acfa8193a4c5bf47
SHA1 3515eb01f18ff1ef4bd89157b259dcac59477d55
SHA256 87c4dac9f2d3001af4c496d0c595294728794130712ccfa4f61f386089a0ae25
SHA512 9fcb8ca3bd85a45517a6d9b650309d44e45fa67b72ee5170160eaea459414e3c244f15a0abb9d6d76e2ec7e762c8142a2625851882ef99a97e56abea2c9290fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 b7bb593a04280087eba7df1488c357db
SHA1 6d7baafa2a362f273e7ba4e3127180b53aeba90d
SHA256 62c432e747de113e82137b71e5fc8badaecc9eb18b0751ea98c72b5db1a37e4b
SHA512 ddacb8d00fac08f669032bd563d9cdc01b3d290d71e3b215cfcf42a86a36017d654935155e0d5514f4b37bbe564e840a8dc7f444656af4acffa3afa1c0194ccd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe622e2f.TMP

MD5 877043a0935f4b0d1d2e4bd580e35a37
SHA1 e5cc08f3da24f5df4bcd7088c0d605b7d18ee163
SHA256 2349bc755a1040f1d2aae30d9e35715f35402259e64f5bf936115fc5e5306499
SHA512 095c9f25c657c98c5acebd7270a69386bff1bbb71e3b75d5e27c4d673d55ca8d42fa73349c15d7cf77272bc054dfe441ba6baff62753bf6bc6e938b698147330

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 60c59422aed0412b9c0529a2f84f647c
SHA1 166737aa82e7955b8b8b1c576a8d87593315aa3e
SHA256 1d81511bdb1c4db0eaa071ad9cbf3f5f14b8e13cffd7f1e910dcce5f9983655b
SHA512 d5f43cd7dd278240fe6842326fbb7d6fec7b72a31aa537dd4e416f31ca3a1090880f30b79e54d5dfa4901c18282a2a3c61b846c674a7cb477e4cbf90435ef0ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 fa59002999ddfac171bbce6fb79e8b82
SHA1 83fdee7e99e7aa3ef54d101418986b473db021b3
SHA256 655db15ef208dfb6c363184fcd253414721771b8f9e360d651ebfcf60bd4255d
SHA512 aebb1407da70843df22080f1473505eaf452d85d0374a129a95aea87117dbf6d8be3be534ada1028a8a72fe88d631e4038ab39c446ad068d07415635b47464d8

C:\Users\Admin\Documents\Rewards.bin

MD5 25065b49c3f9d525e970cb41b2f93535
SHA1 d10618df907dc4ee4f35f8299ecc7a0c6878b003
SHA256 3afcde5b17c4106483645f1fc164a246a9498fd6af8d48584dafa0be6c466c92
SHA512 43ab4329e1468d5002011f6fbe84e08084cc01a0a1db3a1db9386de194ff1fc5829a2c8916ce8026c68629b8bee9fef09956a0abd8121b54ea5aa86b25762c76

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9a7bf1b1d20fa19afccbee520193f33c
SHA1 a9a81e3e68c7db6b74cd452b3ee801ce25284228
SHA256 314ea68e458ad4961d718e166db172d54428462da7fafc7b9326f79298269761
SHA512 9ae65da492df43162ba0bd8691a6e9b85f63718069bdbf10a7d96bf79d5afe118c67a439325200586e8eaed5b8c38f6690ba44239f695eaa59252b650bf9412f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 32afc5f55bb3dbef5c74d7e87256ae0b
SHA1 980425caf433399469221f64a51bcee3713a687b
SHA256 2c227a2e0054924de053de861679f4a8316d63b977bf7a7b24144f3a8925d95b
SHA512 28182b051d93dffa19d143ba456dafdc679bc53e70be34e492ff6617b3c1c930471f54502f534fa21fa288de29f87cfe288b9b4ecc74a3f678c3ec4d412b5b0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 acb75893057c384e27e360fc8f086786
SHA1 0292474d6b3f74e36ccc2da9e14866e3dc51e3e8
SHA256 491f267c09ffa70e10a32329f96de9d100feb18076f088cce383842ddf7aadcf
SHA512 7ea7f1c139a97d0cbece80c4dd7b36fab886e075becd395631637247525c0127a3cf631e48382b6607d21faea688cc2b495d6d26e8aad27f9bc85cc60b2595ae

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1564816874\manifest.json

MD5 e0909520982fc48e47a6451443b11741
SHA1 0e46425274933c153ebf5a03f25e693267a8cea2
SHA256 2e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654
SHA512 3fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1564816874\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fb1d23e6-c7ad-4993-90be-a4eee47101d5.tmp

MD5 0ac17e718f5b6e02e6151713128af5b9
SHA1 59d427b6157e20b3a817fceee45a2c6229b0b9b5
SHA256 79014678af5dc9f45e576dca14a38a0a8dcc30fd87a41b51296a89f1b74e1231
SHA512 51638f21c28bd549315e1e7fe0a830bf1d022a6c7346b52acdd026ab7cd0c394dcfdf6c9410a33541cf3a4ba24fe34db830bde74454ff605d42f5181a4a3c50f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4bdce99caea45383a04b70d528693af1
SHA1 95a505f56d79ab8e17782830eca43e5a9a0665be
SHA256 d449493c00a06151115b61ca6f5138236ae7335d97015ef69c60a9fadcf3be96
SHA512 7cda14690f38b7dcec0adcf28fb9aa88c0722a30a40fdf614cb4ef32b030a82009447b9f90f2149ba051bfb31494c06950c63d46a79060cb664e0719ac4b405f

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_642499665\manifest.json

MD5 8177721150435a9b333475e2b8a6e691
SHA1 8aa8981617e8f3d8967a0a4a2d20315317eba293
SHA256 8a4800ed5f63b9371a024c501ee2b031af94539e32e6753214e6d99c625c018c
SHA512 540c4c52030c6a4e1efcfab5eb59760c696bb3e3f1b8f93c97a6368639a911ba3d395190fc0798d99f3c63e25b6dcf2ded482bbda34d36ddd874dd20c2cfdf74

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ecad59ac0e6444160730730616bed0e5
SHA1 32524ac1affdcb8052dedf5c2ef91ade076833fd
SHA256 1d495eab533b2dd92935488528c032905bbb10005295613002720eb9ee23d5ba
SHA512 7d015d2e2ac497657469f490b47798f03277242ecaeef6b626f15bd66a570f616fa319f90a220fe02976f7ff28791f6738bf07542e4bd1c25bba3d16c2a1e856

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 54a8acc893a02540df2222d9264cb0c9
SHA1 a6964a8888aa342651a122444b2f1eea54496746
SHA256 65bbba507f896ba634560c3df49915e79641082f127bf347545639d9cd96ea23
SHA512 130263515e5890cad368ddf201729d86729b6a6ddb379a5e6af9bc4478cf25096989dfdf1f94242424c82b18be20ae2a82b98931c4aeb329a718b788020aabd0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1beeca67eedfb9e27e0303d69c898f22
SHA1 ba8c0906c0ef7156f0962e4305ff70818de1ba87
SHA256 6a38a4b0df1cf96b2591513a37ae6dd579ad3786e56172838e2609762697f356
SHA512 26f295c23e930722f17741344b3ddef2bdb1e031911bfc34a65ce627c3ac5981eeec0e33dd8d41e20a6c053323cdd29e3844a84a23e63ee963586808b8e136b3

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_473995507\manifest.json

MD5 390af74c5ae643320cad0cef4fa8fee1
SHA1 22ce727f9bcff9a914eb1d58ba8384de6fbda7e1
SHA256 1148c28e540b9b96237b35170a547a13165d6c7c039b8fff9e4b2cd774b92f5a
SHA512 deaeeeffdddea1a9047e97d82e3bb701fb865adcd77ef9e985bb0ec5e4057155e7b83cad4f9f3dd256edf89f19d1075349cea5005dffff8420da4d0646be413a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\edge_autofill_global_block_list.json

MD5 adb5f6058f82680a26d6ed02b44e5a21
SHA1 6197ee74e40c742e184357dcb6dfcc7e32818cae
SHA256 7655c9afb5f2ea39b18e302498b34009ca02b72451f82a6d4e7fb4d8d954f050
SHA512 742dd8f6eaf1bd5f24b37e90d7a3dce7bd0a8edf399c2dec25cd92d2bd6e1d663ebab3c68234812f0144061d4f22f0c2c43de890f60e24d93133bbfe23a6d1c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\v1FieldTypes.json

MD5 c1a0d30e5eebef19db1b7e68fc79d2be
SHA1 de4ccb9e7ea5850363d0e7124c01da766425039c
SHA256 f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1
SHA512 f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\autofill_bypass_cache_forms.json

MD5 9357a694006d8bec3d0f8c9607b76ff8
SHA1 6335ce691999ec10de742cd07d074eb648631259
SHA256 b6c37df977f149c5a444c72ea4469ce666c7975d34c6e2e0d9d8ec416f57dd44
SHA512 87c2d0192f3a78b13a691cda14da507f260d13331b792eb973869bd6dbd0f207faa48f68882be691641b46c06ed12ee8b9728a3b596df67a1f9a4831b4369a44

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1542358329\manifest.json

MD5 a30b19bb414d78fff00fc7855d6ed5fd
SHA1 2a6408f2829e964c578751bf29ec4f702412c11e
SHA256 9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f
SHA512 66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\safety_tips.pb

MD5 bd6846ffa7f4cf897b5323e4a5dcd551
SHA1 a6596cdc8de199492791faa39ce6096cf39295cd
SHA256 854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666
SHA512 aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\typosquatting_list.pb

MD5 17c10dbe88d84b9309e6d151923ce116
SHA1 9ad2553c061ddcc07e6f66ce4f9e30290c056bdf
SHA256 3ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e
SHA512 ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_458347890\manifest.json

MD5 b4d869dd7052d78d29b3e439565f1600
SHA1 caa2cfa31729f4348a02514eba0235e72b88ce5a
SHA256 0f8ee89c4a420bda691d058cdd96c874c2edeec84145c81c957e98d05e351d3c
SHA512 1fda3488df8c43ad413b2e69a5e2292322fe837f7b27b88302b4e591e7e13fdceacb0af9b8bb92ca7c0d2b39abffc776c6cc35d18abb86ce91f55c719b43480e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.11\data.txt

MD5 1bee2c36cebf096d8a559d5c4eeacff7
SHA1 c695eda67f31d729dfc336b8a471ad6346a39031
SHA256 5e4014e267eec120e673cfbc407e4340c234a7898319b35a304ed6ea343a7999
SHA512 ba520d383be95d8b15140b7e38e4e7ac03077bbbb8ee5326ac4162be9403bc9f0576e53840fc22cd9c4038f19f60bdeb7b4e8e0125da6ed80670238de812b4b5

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_528652613\manifest.json

MD5 0abdce2e93f6542edfc9dfbcfb61ce89
SHA1 08067386e18ea1d48d916ecae2d2583a5f6df6ce
SHA256 d912b0ee06353fc36393d1c187a22d37d467e14ddb389a930ff7317b6760531c
SHA512 ec60d26c4b1c1e437c5c88fd9efc504843551a51d3c1b036a5b518cbaccec6e86fddca534b96d490872c6fd53a874f765367d3784473b948f112a51addc9f730

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.7.2.1\typosquatting_list.pb

MD5 8aeeb5c136b1deeeee3677f4b93e2575
SHA1 c716557d8d504577e2d22bb710e94663b91c80f3
SHA256 b8d2c9ee5824a35ef1bcc746200cc710bad4951d4ee16be4acb8a8f503bd4856
SHA512 a5b927c20ade622589e09a7443e7fef2ae2b445b22aa773c4bd05c248d48f0bd0e7e2f3595441bd40957c08f29d660f27b7238030c51303d338738e2b1c51b17

C:\Program Files\chrome_Unpacker_BeginUnzipping5380_1320827036\manifest.json

MD5 b0e549dcc425951a670808d628ab5181
SHA1 63c37e4fd9193836f0100cee2bf76585787ae94b
SHA256 b2c8ee75956c3bb7ea6865137c441b916badfb99c922c17785875e784c96e29a
SHA512 d6dc7c7ddd5ad8ca06a831faa6bd399c8af77e0b21cfd039c608f366fb54b8d4553fc8f947a070544f472966190cf1ca5a236d1084be824b06684b6c6e8de0dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\24.0.0.0\ct_config.pb

MD5 4fdf7c8ca48768f459c97b25fdd10d9b
SHA1 d1f0ac34a53294875dd7bc03dfbdf5c7ae65a4d0
SHA256 6a350094ab9a19b758f6660a58afdecc44e83b3ce8c3521fe3b831d5945a3911
SHA512 7322c942946b83ed8cf8875613f72ab5fa5fcb4ca1671bba22bd02404546f8ce099b2941cb0897b3209aecb85b6ac2f1b98f2d11678e5304b55ae3974192042d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\24.0.0.0\kp_pinslist.pb

MD5 563bdb2192acf2c106832f696df5d84c
SHA1 898eee38d08e09254c39dd0d1707c98f95cb2fa6
SHA256 2efcd280779456d767025a4f2915012cb9b11af2b8e199d3f32152232bf09460
SHA512 550e3dbaa0a5d74763465318b6f14035e16e1d70602ca36a5636d159875b527fae51f0c7f81e380797b4871283dbddb964017e7a16857228a621284d7aef00f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\24.0.0.0\crs.pb

MD5 916f38644626b7201f29c01bc659525b
SHA1 c259bfd1ccbf1347b6a0bac43e7aead100ca7092
SHA256 8ba4acc8582041e5caa5dc4c73ade421b52a8b018e70f12b7a1437f74c6a955e
SHA512 33539525ec8bf13ee832365994dd6b3bc2162ef64e032baa1ab6e45d701125d08009504c254e85b763b69abd93f10366a4b44e5e62f7705c988c089aea447d19

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 17:18

Reported

2025-07-04 17:28

Platform

win10ltsc2021-20250619-en

Max time kernel

480s

Max time network

479s

Command Line

"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

Signatures

NetSupport

rat netsupport

Netsupport family

netsupport

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\nskbfltr.sys C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent\ = "Service" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\D: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\F: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\f: C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\S: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\cicStudent.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\comdlg32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winhttp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Storage.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\fastprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wintrust.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wuser32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\gpapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\audioses.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\powrprof.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\UMPDC.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dwmapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wsock32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wininet.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\MMDevAPI.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\sechost.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\version.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shlwapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\psapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\netapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\samcli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Windows\system32\cicclient32provider.dll C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbgcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\setupapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcrypt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wtsapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\profapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcr100.i386.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\SHFOLDER.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\advapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\activeds.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\adsldpc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\comctl32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\oleaut32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winsta.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Windows\SysWOW64\DnaMsg.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\combase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcpcsvc6.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\mpr.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winspool.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\devobj.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msasn1.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dhcpcsvc6.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\msctf.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\cicToolbar_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase.enc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\libcrypto-1_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\SHFOLDER.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\ucrtbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\ole32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSecurity.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\js\lockpage.js C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wldap32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\netapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSilence.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ShowAppCIC.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\openvino_intel_cpu_plugin.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\cic_lock_image_ws.jpg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wgdi32full.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\CLBCatQ.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\msasn1.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.12 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_highgui481.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.12 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\3082\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\SHFOLDER.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\adsldpc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1053\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\msvcrt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_sc.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\DLL\netutils.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\bcryptprimitives.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Kernel.Appcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\dnsapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgcodecs481.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\winmm.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1038\PluginSoftwareModule64_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.11 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\1415\IAViSResource.13 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-interlocked-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\DLL\dhcpcsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\dwmapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\2052\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1042\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\images\LS-512-white.png C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\winhttp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1036\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\netapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\VolumeControlWVI.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1044\PluginSoftwareModule64_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-datetime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID060.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c8ef.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID2C2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setupact.log C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File created C:\Windows\Installer\e57c8ed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID718.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File created C:\Windows\Installer\SourceHash{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\CloseHookApp64.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c8ed.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3b6137e5dc88f80000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff0000000027010100008838011d3b61370000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e841011d3b6137000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea711d3b613700000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d3b613700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1700736726-3374942736-1745806820-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1700736726-3374942736-1745806820-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1700736726-3374942736-1745806820-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMEM" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-19 = "Ultimate Performance" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe\VBScriptSetScriptStateStarted = "240645484" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "210" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@Winlangdb.dll,-1121 = "English (United States)" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000d66b3cfc07eddb01 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498} C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Arabic = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Chinese = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell\Play\Command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\InstalledBySetup = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Polish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Version = "33554434" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\German = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Italian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Japanese = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\LatinAmerican = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\PackageName = "classroom.cloud Student.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Hungarian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductName = "classroom.cloud Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\ = "cicClient32Provider" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Image_Analyzer = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Dutch = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Downloaded Installations\\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.rpf C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Bulgarian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Portuguese = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Serbian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Swedish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\ProductIcon = "C:\\Windows\\Installer\\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 4388 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 4388 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 4956 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4956 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4956 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4028 wrote to memory of 1396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 1396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 1396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4028 wrote to memory of 520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4028 wrote to memory of 3848 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 3848 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 3848 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4028 wrote to memory of 1436 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4028 wrote to memory of 1436 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4028 wrote to memory of 1436 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 1436 wrote to memory of 4172 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 1436 wrote to memory of 4172 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 3668 wrote to memory of 1868 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 3668 wrote to memory of 1868 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 3668 wrote to memory of 1868 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 3668 wrote to memory of 1940 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 3668 wrote to memory of 1940 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 3668 wrote to memory of 1940 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 1940 wrote to memory of 1536 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1940 wrote to memory of 1536 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1940 wrote to memory of 1536 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1940 wrote to memory of 2528 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 1940 wrote to memory of 2528 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 1940 wrote to memory of 4576 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 1940 wrote to memory of 4576 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 1940 wrote to memory of 4576 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 1940 wrote to memory of 3188 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1940 wrote to memory of 3188 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1940 wrote to memory of 3188 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 1940 wrote to memory of 3400 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1940 wrote to memory of 3400 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1940 wrote to memory of 3400 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1940 wrote to memory of 1100 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1940 wrote to memory of 1100 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1940 wrote to memory of 4504 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1940 wrote to memory of 4504 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1940 wrote to memory of 4504 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 1940 wrote to memory of 4824 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1940 wrote to memory of 4824 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 4576 wrote to memory of 2108 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 4576 wrote to memory of 2108 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 4576 wrote to memory of 2108 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 4576 wrote to memory of 3320 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe
PID 4576 wrote to memory of 3320 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe
PID 2108 wrote to memory of 1104 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe
PID 2108 wrote to memory of 1104 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe
PID 4576 wrote to memory of 2504 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe
PID 4576 wrote to memory of 2504 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe
PID 4576 wrote to memory of 3900 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 4576 wrote to memory of 3900 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 4576 wrote to memory of 3900 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 1940 wrote to memory of 4116 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe
PID 1940 wrote to memory of 4116 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe
PID 1940 wrote to memory of 4116 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe

"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe

C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe /q"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}" /IS_temp

C:\Windows\SysWOW64\MSIEXEC.EXE

"C:\Windows\system32\MSIEXEC.EXE" /i "C:\ProgramData\Downloaded Installations\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\classroom.cloud Student.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7932AFB00AC3723B905D7B8DB55D15DE C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 122CD0051161772AEA84E7F4F7F8D03C

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 82DD52CFD756EB0DDEBA34C2BE4111E0 E Global\MSI0000

C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

"C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

winst64.exe /q /q /i

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EB90200,1

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe" /LocalServer /Inventory=1 /Safeguarding=1 /SGroup=0 /DeviceGroup=6 /AupRulesEnabled=1 /EnhancedSafeguarding=1

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe" 2108 532 Local\CIC_ESAFETY_IPC_KDB

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\\StoreInvCIC.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICToolbar.exe" /utf8

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /scrape

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3a3a855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 gw01mem01-uksouth.classroom.cloud udp
GB 51.105.28.71:443 gw01mem01-uksouth.classroom.cloud tcp
US 8.8.8.8:53 safeguardingapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 safeguardingapi-uksouth.classroom.cloud tcp
US 8.8.8.8:53 nscsafstore6kchir2p4iwrm.blob.core.windows.net udp
GB 20.150.40.4:443 nscsafstore6kchir2p4iwrm.blob.core.windows.net tcp
US 8.8.8.8:53 technicianapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 technicianapi-uksouth.classroom.cloud tcp
US 8.8.8.8:53 activitymonitor-uksouth.classroom.cloud udp
GB 51.140.146.132:443 activitymonitor-uksouth.classroom.cloud tcp
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 technicianapi-uksouth.classroom.cloud udp
GB 51.140.146.132:443 technicianapi-uksouth.classroom.cloud tcp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 api-uksouth.classroom.cloud udp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\Setup.INI

MD5 23ce7ea2a8100e466e40796a515eea42
SHA1 1a2f854ce18ea586e50f836be406142c551844e1
SHA256 ff21c2dc626491e548332ee554bc3d89786e5b8206e60f9b9c7ffaede25209a4
SHA512 13337128807f1aa1d383897d029c466a91caad56ab91d01bc3ff3d270472143567bed883fa16509645735990eff79738f8fe537f01c80b9f04086beeef751182

C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\_ISMSIDEL.INI

MD5 10c7df4b47e999502fe470c0d232aec9
SHA1 9af8d8e8e2795b0a5a952b24188db97335b48c46
SHA256 af8515c6b7a1f124819cac6c023681a427275e2e50cd48506ab2178f57292111
SHA512 cee8e5a812e4d1400f7d944e7d0e9dbe2fcbe667201af0571c8172c83195f1b77383fe747e59163168123c8f9a3f254fb379ec9c8154c36b2eb39cee6e807480

C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\0x0409.ini

MD5 a108f0030a2cda00405281014f897241
SHA1 d112325fa45664272b08ef5e8ff8c85382ebb991
SHA256 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512 d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

C:\Users\Admin\AppData\Local\Temp\MSI7C64.tmp

MD5 0e6fda2b8425c9513c774cf29a1bc72d
SHA1 a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256 e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512 285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

C:\Users\Admin\AppData\Local\Temp\MSI7CF1.tmp

MD5 a1b7850763af9593b66ee459a081bddf
SHA1 6e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA256 41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512 a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

C:\Users\Admin\AppData\Local\Temp\MSI7D02.tmp

MD5 8bd0092b3561d926e98e0f8836a744e5
SHA1 db75ca62c6bd40b5381a4edc49ff516a8420fc94
SHA256 c9dabf1752ab3d0ab1f88cc6aa5cbf37ac95f4f5fee3acc78b7f3d6118492049
SHA512 f1f2a102fc6c714256fa9095c063f5d0e40b89397c938bc2bd9b9f3d97a8a5b3773f2050eed9c1e50b4430049ed21f1fd128ff70a13f1ba78a6f7eb3641fbbea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 fd8a20ae034c688d34c65d0899328dd0
SHA1 d8d1418441e290da13c08a0a53842995c3431779
SHA256 c31307defd1c468c6351e78fdf977f2bad54d495645596af99834d55f596cbb0
SHA512 707110747b13354c6fa82d82534cab8b3b0dc3b06b94494a4ad576b5d28960f00e3aeadd6ac07b99a0e9dda0765ee08e2d6b6b5b2cb13deaae48043b506f1e7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2

MD5 8d17f554caef2083c370999dace88bb5
SHA1 6ffe3fe1782d4b41f6d88f798095a67a86922214
SHA256 f98cca4beae1f5d60647686f217c0c7ce347ea57e5eb25af8d6f94238f899a87
SHA512 528653c2d68f74d2234a2dad42e0e4966f2b2575d4a697acaadfad8e6bc031d6d8812843b595e85fe3c97bcef0766fdf0c26a2c46fa90f47c585bc4bbca12e83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 a72694b6b6fa5330b3a5602b3e62e022
SHA1 5754a82861e683dd6b02cf73f2c521a88d981c44
SHA256 3bce19fd45ae94b35dccbdd9e980a27fa531d580fde1871672b46f4e0b9ed9a8
SHA512 e36ba184f4bb364cc2660e27c417c64117aa59e57b9662f52f9ac43aa19f47efcdeddb280b8a2a0a4566efbb40464bd62783a175eb5ebc2573f765786e0b5ec1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 e4b82021432532761b974e337ed0e76d
SHA1 eafe08bf9c38219e7c31f3e4de10eb378cd6a85c
SHA256 38a941ac9c4ecda3d20b0823e81f2521f8f61838f7d60b69998877c7fc95a493
SHA512 430707c940340ffba8ced7ecdee071d1a9b8d54437df37f6878061c6eaff06bfb44f04435e37b6f8f238e9aabb3c3e72e4b63f83cb51033ce5db452c78f75eee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2

MD5 3de57e3ccdd9b8db1f0e7c725bf2aa7d
SHA1 8fb59a6f70ae52073ac80d8ca234228aac77343c
SHA256 2ad53da1ca034894ed0a55571c739ed8750a35aa51b99f235e90f65157cb21ca
SHA512 920abb22be2f3fc0feab8d22361cb07c9bc0d3c4e87e9a8025bc95ad207d1783d80007fb884a9861be81a93c9936e23972b49f19d715861b9b669356ceed3eac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 6f1bd38b8f716041a4ecf35694159784
SHA1 215a51c1397885d3863c30d05b8a0bc3c43b20a6
SHA256 ec3b8289fdbfd30db837bb497e2f61a84dbf644f809447f772996479ad6130cd
SHA512 bcdbcf639de25df156878a97d39f7d1923c84189d1bd3fb36671c0f8eb42f0bfc20590031e3d8b79c4d096e417d19d607cd543d86226a29e20a5122188e53478

\??\Volume{37613b1d-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{cf792ee8-bffe-4496-ab93-31867c3039c7}_OnDiskSnapshotProp

MD5 6a995171d8cd71c8c77c37d99e747982
SHA1 f470d449e015697894deb07b7ba46eb9b4c78352
SHA256 2fc52e54fabcf8d217f44c1f632e3c7d2f2ab46f01dd3a8d1c1ca038caeb2114
SHA512 65119a8de9d4655c60e5f4b09af1951228318d17e7a87dff126a0a093677804444a793999e693da812d73a38a0b819bf0fa003c397c03bbff1d71bdb545304d3

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 ee6c0e1f833583c8dd221a21ee4b457e
SHA1 d16789d0d515d46866b0306adc8349f312f63f3e
SHA256 6b7726226a6143b2ad9b88a311d7865c9c19dbbec7086f834f838e9065a95cbc
SHA512 ac0225700a2894ff8d152edd406f093912a58b4ca46193cd25d93379149a0e6933cbf9052bfa77195cb9f518b6d644589c6de475471343c2169cdd274e9a648b

C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

MD5 c6b9f3f79923b253424465b4055bdb28
SHA1 3744a1f6b0e9222ed6850d021016eca0b10bc519
SHA256 ec764c26475e1c9620b642c8807142bfdb72e85e1e8bdc87cdfb0e43f90a3b62
SHA512 ecb7738dcef64b3b62a708565c08a8302629a47fdd26f8630ba6359ba413e93b2c96719cdf9c8c5845d1f0d61a69a34dab84431fe6d93a249ab982d7348e57d1

C:\Program Files (x86)\NetSupport\classroom.cloud\shfolder.dll

MD5 e82daaf3a38c76f3e1cd3378cdafbd64
SHA1 dfbf9cee2aeac45881bcf764946f54ddc5014df5
SHA256 c1c03df6cb83b1016ff3f470513f7179c8ff0d7ac7a70f7efbdee13e3dfecb1b
SHA512 2ea546a44eeefbf90aada2275b53dcef14ee7eef193451f669fa7bfc9af0dfba0ba042cbc95e1557b51b22b2a26dec9ffd1daa5dbf17238c6c6852adf71ba9b7

C:\Program Files (x86)\NetSupport\classroom.cloud\product.dat

MD5 1776504eea61cb14d645e4ecf7f66fed
SHA1 5902f0fa83a830bfc9d1befa3583330354389a26
SHA256 ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed
SHA512 e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710

C:\Program Files (x86)\NetSupport\classroom.cloud\pcimsg.dll

MD5 0880c1c48690981c8d06831956ebf69a
SHA1 f112137e17e5e5c69567c431f993c338b6fc3422
SHA256 dbf281d1a065ea5e3162f01b658910a39f70f24523d9d6e0ea11535055120d63
SHA512 97805f65041d2fc8e2f49795cd2a9a9216dee43463112a7576e78bfb595e7b74da7121652e8bf6a8c04fbfde4c7671c4810b748b693a523d285d307eeeaaaaa6

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

MD5 183a205187acb2b5313800eb7200654f
SHA1 3f71e3722409a256ea8aba277e9b459906abedab
SHA256 5cd1f3b175ff2a492fe581ad80f83affac3b6bf17602a06f4c5f2368373a5774
SHA512 39b0ac5723df4fb480d2af1b4ffdbdc52ba3d5e6f78d8d33b954c36f3f69954645625278116a24691f5ef2b4ef0ee08e39c592175f503938fb4f5418c2d6f53d

C:\Program Files (x86)\NetSupport\classroom.cloud\cicclient32provider.dll

MD5 e02af20e191ff09db3c186066cc1375a
SHA1 0de9c222ce3568324603b2aec3057bf7ac8b10e8
SHA256 5d7ed783f3d533a687877da91f9d6fd8393994206349503d8ccc419de9ed9fe6
SHA512 df532d321c70512355e80821fe08570da1363a72ebbeb288ae91dcf3ee50544b1f9d4a1f895b1e1305eedc47ed0c6db9e0625cfbf1202d5d71d3516dd1a3fb45

C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.sys

MD5 35c66ae99109a44804f5ea8032d1377d
SHA1 6f769b861db4595d15733372fd4932dc226b72af
SHA256 f1b455de2ec03091d0ed0d27c7e8428931208d9b3fcfc91b13b1a3eb55235064
SHA512 55ce58e56a9dd1de898940bbcc79b120f1df87eb39a1b5882134478bc7f7cfa7ea3fe2038bdd573fa6a2930594f53310e8c3f02f6d32ad14af985d89174f82a5

C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll

MD5 f9cf2db8b99dc50eab538c4d860ac1a4
SHA1 b261c9e7f082eb8649afab9a677e022f84fd2823
SHA256 865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
SHA512 59660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d

C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.inf

MD5 344e5f94494802ff38fa02cec9ab8e02
SHA1 fb16f5357725ac40a00a608be0bc522c2b0544ea
SHA256 f6f1c23bf836f7773de21292e6aebd86568993f995c0cb799a63151a67e05f12
SHA512 0cb6e4ac146f4352249ecf29cfe7eb3c3105342fdfda8e6ca9e23abbf1cba179fa3a9f62b992ac700c65d6234a1679d3790f40ae948cc5e5b01443755a36f5b5

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

MD5 ffa0bb22a09efde0dc53cee4ad7761ce
SHA1 9213940d26e0d98afcd33ac3d3e021f3b99f50a6
SHA256 70d8dc0d4f6c2c88bef7f8a18da833ae9c99d6da8a3b253f12fbfb91eb75b7f3
SHA512 a2853aff65a297254188a2ed64ca9e1d81daaf037fd48a9d97764d1e8e90e294ace33fb4ee1151fce086299b5ced04854758f7fd6f16b5ebc25d64ea6f399f34

C:\Program Files (x86)\NetSupport\classroom.cloud\PCICL32.DLL

MD5 6fa0e22d7e5d4ee737878290035a0267
SHA1 5099b37c049fa3a91a63611535429fd18adb5c2a
SHA256 79bc3ed1a07c0119719b7875865162293df573c540edbce7c08e47325c362dcd
SHA512 ab5b2d0d5b862c2b9cca9e9a1e3590281b5cf94fe69ca322e335e8d59d85efebcd098c115c5a4ecf1aff6dc0acdcddc6b68ba62d4144eac3044e0df4f4f1a39e

C:\Program Files (x86)\NetSupport\classroom.cloud\PCICHEK.DLL

MD5 c82ffe193bfb7a4e37d84c6f69128054
SHA1 b3429dc37d021432e5d47e0a2eb087268e8d1e6c
SHA256 ef64a39c59562b1a731563b7c688fae45c3e8f355d402c7ebc80f19aea09f9ef
SHA512 aa3bc90c072c8d9da93e55d026459930338cc083491e3c42782adc4c06cd25f16136369c63ea3252cadee5ec62e3e3b8f06b1bbaa82a8f6838d6be3e36ed7b18

C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.dll

MD5 bd5def2b91eaf52eba3a33eeb67cee48
SHA1 6cc6d4b8379cf2a59a770110d17b1f5a531a4a05
SHA256 6ebc2f4a6962793da3d7cffcda8f0246be8c9eebff3591d021279b482c08926b
SHA512 6f203908aa2002282cd66eb52d2a1473248afb92ae419d0d04352604c580f34308f485f9283a5b83aeb7742c2e9cdce6e3354935f226667cd5c2ba266430e975

C:\Program Files (x86)\NetSupport\classroom.cloud\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.DLL

MD5 3cb1b4875e0115df4acf16f2d9afc195
SHA1 1c869c11c8113b39e7291df1bc4283d6062be810
SHA256 97b0de6aff804f5634b7453b6b27ee5a2d78ab2781c9cbf59a45b8a2f6e783d3
SHA512 86ec315a960ad0223d35b569927df60939109ad4d9d1f20fa990e493fb3c25a2240196a9c852ecfd4967d01d4bd39f9f6e07dace2e70a50975fde8ee1c05e2aa

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

MD5 231413407e88a179ea9a7889305bdc8d
SHA1 d6031475fb06cc401352be605a4ef70c89a0c774
SHA256 9a70110c7d0d1366c21e5acc69498cc67c87aef96ae67c7fb37314243a23a5a7
SHA512 12cc1f4acec4159a86b76a08661ed8ce583b24ecc1a7da734e52a1416a02a330937cb1eae6b098fc8d7b69b89a651c54146de4185e6d8db4cb9790c66f658725

C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem

MD5 3cdcf8f9b05de85c7e7008e7f4a70123
SHA1 4f2c894e8c86200efcb93ad0ebd85296d48f360c
SHA256 27f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e
SHA512 93f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6

C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll

MD5 233d6c47b7c38c84c6795c3fe173525e
SHA1 02b87df7cff7f9b484f55c4e451bbd49d4f402ce
SHA256 9d6bd498a54d006a3d41499b8442df15d4e8ef5083cda4ed4620014ce057989c
SHA512 023a184f978ddbf8be714ae1437bc1da59fdc5cfac0e1ed13befbb09004951312a8fa7d30fad66e6641ec3b0ce0568c2899f1343e4f6da9ae23d4975c82063f5

C:\Program Files (x86)\NetSupport\classroom.cloud\concrt140.dll

MD5 092b95b9308e2827a3b1598add0e306d
SHA1 10321c34bbe5982c3005188afa94d1ce73964f2e
SHA256 a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f
SHA512 20464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf

C:\Program Files (x86)\NetSupport\classroom.cloud\vcruntime140.dll

MD5 8e65e033799eb9fd46bc5c184e7d1b85
SHA1 e1cc5313be1f7df4c43697f8f701305585fe4e71
SHA256 be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4
SHA512 e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ADMod.dll

MD5 f9b4a682ca1fc4d2ea21634a034edae7
SHA1 28532ff051fe208d1d75e3bf413cc55a65d128a4
SHA256 c1959663aa2fd4614553bf14bd0805455b8140e8c271b9aea01fc00339ed63c1
SHA512 3067c7a0ea71873f68ad7b830283d3a4de5e6db161c2701c1b1f80eb6b747bb511cd748a9360127afcf01e87bbd8c39862fbb8b2ddaccf403a79c2b382d850e3

C:\Program Files (x86)\NetSupport\classroom.cloud\msvcp140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Program Files (x86)\NetSupport\classroom.cloud\cpprest_2_10.dll

MD5 98a75771d452d5d5fafb9bdc091c512d
SHA1 67a0e43a56a15082453a9d4940e832155a3057c4
SHA256 fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72
SHA512 9dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39

C:\Program Files (x86)\NetSupport\classroom.cloud\htctl32.dll

MD5 1e1e60709ef9fd6dfb0a9d67d8b5d84d
SHA1 46cee6b4299eea89b05d080ffe39926dd51d1e1c
SHA256 ef4c6b6b3c767c9e2aa7849982fe78ab60776707752108c657fe2296f803225c
SHA512 9b032ac9f55073a424114a22e0716a7e64ffbe9898adae223540a14a6dee8a118eadc646f0eca33e5cac0b72105e84d69fb99703b1c58c803ba173a2581ca9d2

C:\Config.Msi\e57c8ee.rbs

MD5 3d96f369851957eb96e42c2380900c8c
SHA1 9cba45ba9756609029eb42f19d6f36432ea28d08
SHA256 5e81c2fd50b7137b6518da541acf26bfd7fcd7543cd18560dd5c21f8feb9bf66
SHA512 dec2f593436ed404019532a3e748d0b545bb909b1709b0ba8e53bd32bbc4dc3e6dbb214934f0c86974281e23f947a8d2566cda514f185a8a55fb9f9ac1fbace9

memory/4576-531-0x0000000000AC0000-0x0000000000B86000-memory.dmp

memory/4576-533-0x0000000000AC0000-0x0000000000B86000-memory.dmp

memory/4576-532-0x0000000000AC0000-0x0000000000B86000-memory.dmp

memory/4576-530-0x0000000000AC0000-0x0000000000B86000-memory.dmp

memory/4576-537-0x0000000075D70000-0x0000000075FAA000-memory.dmp

memory/4576-536-0x0000000075D70000-0x0000000075FAA000-memory.dmp

memory/4576-539-0x00000000751B0000-0x000000007524F000-memory.dmp

memory/4576-538-0x00000000751B0000-0x000000007524F000-memory.dmp

memory/4576-540-0x0000000075A30000-0x0000000075AEC000-memory.dmp

memory/4576-543-0x0000000076AB0000-0x0000000076AEB000-memory.dmp

memory/4576-542-0x0000000077350000-0x00000000773B3000-memory.dmp

memory/4576-541-0x0000000077350000-0x00000000773B3000-memory.dmp

memory/4576-544-0x0000000076910000-0x00000000769F6000-memory.dmp

memory/4576-549-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-550-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-547-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-548-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-546-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-545-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-551-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/4576-554-0x0000000071500000-0x00000000715E7000-memory.dmp

memory/4576-558-0x0000000071480000-0x00000000714F2000-memory.dmp

memory/3872-594-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-595-0x0000000074C40000-0x0000000074EDA000-memory.dmp

memory/4576-598-0x0000000071FF0000-0x000000007201B000-memory.dmp

memory/4576-597-0x0000000073AC0000-0x0000000073AF2000-memory.dmp

memory/4576-596-0x0000000073AC0000-0x0000000073AF2000-memory.dmp

memory/4576-587-0x0000000073800000-0x0000000073890000-memory.dmp

memory/3872-593-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-592-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-591-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-590-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-589-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-588-0x0000000076660000-0x00000000766DD000-memory.dmp

memory/3872-583-0x00000000772C0000-0x0000000077347000-memory.dmp

memory/4576-586-0x0000000070F60000-0x0000000070FCD000-memory.dmp

memory/4576-585-0x0000000070F60000-0x0000000070FCD000-memory.dmp

memory/4576-563-0x0000000072210000-0x0000000072665000-memory.dmp

memory/3872-582-0x0000000076AB0000-0x0000000076AEB000-memory.dmp

memory/3872-581-0x0000000075A30000-0x0000000075AEC000-memory.dmp

memory/3872-579-0x0000000075250000-0x0000000075827000-memory.dmp

memory/3872-578-0x0000000076910000-0x00000000769F6000-memory.dmp

memory/3872-577-0x0000000073DD0000-0x0000000074055000-memory.dmp

memory/3872-576-0x0000000073DD0000-0x0000000074055000-memory.dmp

memory/3872-575-0x0000000073DD0000-0x0000000074055000-memory.dmp

memory/3872-574-0x0000000073DD0000-0x0000000074055000-memory.dmp

memory/3872-573-0x00000000751B0000-0x000000007524F000-memory.dmp

memory/3872-572-0x00000000751B0000-0x000000007524F000-memory.dmp

memory/3872-571-0x0000000075D70000-0x0000000075FAA000-memory.dmp

memory/3872-570-0x0000000075D70000-0x0000000075FAA000-memory.dmp

memory/3872-567-0x0000000000300000-0x0000000000312000-memory.dmp

memory/3872-566-0x0000000004140000-0x000000000415F000-memory.dmp

memory/3872-564-0x00000000040E0000-0x0000000004125000-memory.dmp

memory/4576-562-0x0000000070FD0000-0x0000000071478000-memory.dmp

memory/4576-561-0x0000000070FD0000-0x0000000071478000-memory.dmp

memory/4576-560-0x0000000070FD0000-0x0000000071478000-memory.dmp

memory/4576-584-0x0000000070F60000-0x0000000070FCD000-memory.dmp

memory/4576-557-0x0000000071500000-0x00000000715E7000-memory.dmp

memory/3872-580-0x0000000075250000-0x0000000075827000-memory.dmp

memory/4576-556-0x0000000071500000-0x00000000715E7000-memory.dmp

memory/4576-555-0x0000000071500000-0x00000000715E7000-memory.dmp

memory/4576-552-0x0000000075250000-0x0000000075827000-memory.dmp

memory/4576-559-0x0000000070FD0000-0x0000000071478000-memory.dmp

memory/4576-553-0x0000000075250000-0x0000000075827000-memory.dmp

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\bin\SysQueue.bin

MD5 c4103f122d27677c9db144cae1394a66
SHA1 1489f923c4dca729178b3e3233458550d8dddf29
SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

C:\Users\Admin\AppData\Local\Temp\{988C1B38-2C21-48CD-A9C3-E0E695179EF9}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 17:18

Reported

2025-07-04 17:28

Platform

win11-20250610-en

Max time kernel

486s

Max time network

467s

Command Line

"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

Signatures

NetSupport

rat netsupport

Netsupport family

netsupport

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\nskbfltr.sys C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CiCStudent\ImagePath = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\cicStudent.exe\" /* *" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NetSupport DNA Agent\ = "Service" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\E: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\F: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\f: C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\MSIEXEC.EXE N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wgdi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shlwapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\srvcli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\devobj.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\pcimsg.dll C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File opened for modification C:\Windows\SysWOW64\wuser32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\psapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winsta.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\CLBCatQ.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\fastprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wininet.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\advapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\sechost.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\mpr.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\version.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\comdlg32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\oleaut32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wldap32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcryptprimitives.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\profapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dnsapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\MMDevAPI.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winspool.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\activeds.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\adsldpc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemprox.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\netutils.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Amsi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcpcsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wintrust.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dwmapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\winhttp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wsspicli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\gpapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\nsi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\setupapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\WinTypes.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wbemcomn.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\ws2_32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkscli.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbgcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Windows\system32\cicclient32provider.dll C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
File opened for modification C:\Windows\system32\cicclient32provider.dll C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\wsock32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dhcpcsvc6.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\userenv.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\res\7519\IAViSResource.13 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\PciHooksApp64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\winhttp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_we.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\ws2_32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\ole32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dnsapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1043\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1045\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\msvcrt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wrpcrt4.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\shell32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-crt-time-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\libeay32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1035\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wininet.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\boost_system-vc140-mt-x32-1_67.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\profapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_core481.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1031\PluginSoftwareModule64_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\NSSilence.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\Amsi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\IAViSScreenshot.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\pluginsoftwaremodule_RES.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\secur32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ur.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\opencv_imgproc481.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\ucrtbase.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\wsock32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\Kernel.Appcore.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase_ur.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\pluginsoftwaremodule.DLL C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\secur32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\crypt32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\openvino.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1041\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1042\PluginSoftwareModule64_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\netapi32.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\symbols\dll\wbemsvc.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\defuser.jpg C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\msvcrt.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\DLL\dbghelp.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_zh.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\PluginSoftwareModule64_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1055\pcicl32_RES.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\winsta.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\profapi.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\api-ms-win-core-synch-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\js\lockpage.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\CICAppHook64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\ManageADAccount.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1046\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Phrase_ar.enc C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\NetSupport\classroom.cloud\Locales\1028\ManageADAccount_res.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\NetSupport\classroom.cloud\dll\pcichek.pdb C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID68B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID89F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57c841.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF7B2B82C7180B1873.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC6D6E80C0FB307E8.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfc140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF08FD784C0875426E.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\CloseHookApp64.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\{70749FB9-1BB4-4CC2-9D12-B0B058F63B6E}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF649529251FDF2755.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c841.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
File created C:\Windows\Installer\e57c843.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID561.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\9BF947074BB12CC4D9210B0B856FB3E6\2.0.2\mfcm140u.dll.5840D246_3D34_3071_9C86_D071F20CB55F C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\setupact.log C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000edf05ee38d848e8a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000edf05ee30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900edf05ee3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dedf05ee3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000edf05ee300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2238466657-712128251-1221219315-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000194595f907eddb01 C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3B9E4CE5450ADE844A5047C6767B1AF8\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\DefaultIcon\ = "C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\PCIVideo.exe,1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\NSS C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\French = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Image_Analyzer = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\LatinAmerican = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Turkish = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498} C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ = "cicClient32Provider.dll" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Polish = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "classroom.cloud Student Replay File" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Finnish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Serbian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\PackageCode = "FA06C577E0F97EF43BC0780831A779F7" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Common = "NSS" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Hungarian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Korean = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Arabic = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Chinese = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Italian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Portuguese = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net\1 = "C:\\ProgramData\\Downloaded Installations\\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with classroom.cloud Student" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7F2E59DC-D6DD-43E1-AF7B-C27AB2277498}\InProcServer32 C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Czech = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Bulgarian = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Norwegian = "Student" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\MexicanSpanish = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\classroom.cloud\\pcinssui.exe\" /ShowVideo \"%L\"" C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BF947074BB12CC4D9210B0B856FB3E6\Russian = "Student" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BF947074BB12CC4D9210B0B856FB3E6\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A
N/A N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5216 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 5216 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 5216 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe
PID 2488 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 2488 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 2488 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\MSIEXEC.EXE
PID 4776 wrote to memory of 4844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 4844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 4844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 4252 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4776 wrote to memory of 4252 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4776 wrote to memory of 4952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 4952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 4952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 5468 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 5468 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 5468 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4776 wrote to memory of 4176 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4776 wrote to memory of 4176 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4776 wrote to memory of 4176 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE
PID 4176 wrote to memory of 3028 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 4176 wrote to memory of 3028 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 5056 wrote to memory of 4564 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 5056 wrote to memory of 4564 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 5056 wrote to memory of 4564 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 5056 wrote to memory of 6044 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 5056 wrote to memory of 6044 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 5056 wrote to memory of 6044 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe
PID 6044 wrote to memory of 3776 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 6044 wrote to memory of 3776 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 6044 wrote to memory of 3776 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 6044 wrote to memory of 2280 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 6044 wrote to memory of 2280 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe
PID 6044 wrote to memory of 1200 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 6044 wrote to memory of 1200 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 6044 wrote to memory of 1200 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe
PID 6044 wrote to memory of 4640 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 6044 wrote to memory of 4640 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 6044 wrote to memory of 4640 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe
PID 6044 wrote to memory of 2496 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 6044 wrote to memory of 2496 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 6044 wrote to memory of 2496 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 6044 wrote to memory of 2028 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 6044 wrote to memory of 2028 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 6044 wrote to memory of 3404 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 6044 wrote to memory of 3404 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 6044 wrote to memory of 3404 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe
PID 6044 wrote to memory of 4268 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 6044 wrote to memory of 4268 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe
PID 1200 wrote to memory of 1892 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe
PID 1200 wrote to memory of 1892 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe
PID 1200 wrote to memory of 3652 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 1200 wrote to memory of 3652 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 1200 wrote to memory of 3652 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe
PID 3652 wrote to memory of 1044 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe
PID 3652 wrote to memory of 1044 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe
PID 1200 wrote to memory of 5836 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe
PID 1200 wrote to memory of 5836 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe
PID 1200 wrote to memory of 1576 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 1200 wrote to memory of 1576 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 1200 wrote to memory of 1576 N/A C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe
PID 2488 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\explorer.exe
PID 2488 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe C:\Windows\SysWOW64\explorer.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe

"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe

C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe /q"C:\Users\Admin\AppData\Local\Temp\classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}" /IS_temp

C:\Windows\SysWOW64\MSIEXEC.EXE

"C:\Windows\system32\MSIEXEC.EXE" /i "C:\ProgramData\Downloaded Installations\{775C60AF-9F0E-4FE7-B30C-8780137A977F}\classroom.cloud Student.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="classroom.cloud.1.e716b429-f5aa-462c-84f2-a53864b14bf3.uksouth.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B3C7C2209FDC1917E06EA15D9A637CD4 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 65296CBAAB07D6692AB3D11F556279B3

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9D8C9CB784B552368CF0CCC9F1C2645C E Global\MSI0000

C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

"C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE" /EV"classroom.cloud Student" /EC /Q /Q /I *

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

winst64.exe /q /q /i

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" /* *

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe" * /VistaUI

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe" /Q /Q /EBb026a,1

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\CICSafeguardingAgent.exe" /LocalServer /Inventory=1 /Safeguarding=1 /SGroup=0 /DeviceGroup=6 /AupRulesEnabled=1 /EnhancedSafeguarding=1

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe" /USER=SYSTEM

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe" /USER=SYSTEM

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\CICPlugin64.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\ImageAnalyzerApp.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\eSafetyHookAppCIC.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\cichooksApp64.exe" 3652 512 Local\CIC_ESAFETY_IPC_KDB

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Components\HookAppCIC64.exe"

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\StoreInvCIC.exe

"C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\\StoreInvCIC.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\explorer.exe

Network

Country Destination Domain Proto
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.105.28.71:443 gw01mem01-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 20.150.40.4:443 nscsafstore6kchir2p4iwrm.blob.core.windows.net tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp
GB 142.250.180.3:80 c.pki.goog tcp
GB 51.140.146.132:443 api-uksouth.classroom.cloud tcp

Files

C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\Setup.INI

MD5 23ce7ea2a8100e466e40796a515eea42
SHA1 1a2f854ce18ea586e50f836be406142c551844e1
SHA256 ff21c2dc626491e548332ee554bc3d89786e5b8206e60f9b9c7ffaede25209a4
SHA512 13337128807f1aa1d383897d029c466a91caad56ab91d01bc3ff3d270472143567bed883fa16509645735990eff79738f8fe537f01c80b9f04086beeef751182

C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\_ISMSIDEL.INI

MD5 b35e7ef14ad9d188a0df33fa6c9554c5
SHA1 b2a8e5c659cdd3dc09915f1f32d7b482792ecd7f
SHA256 acc300cea692c6d536147f3028863ed697e33c4fbcbe9f1a5b9a4b12b8bac24d
SHA512 57079f409d53d6d06f6386868180c836a1ed956f1633cdbc280f3c925f1974075f01347f3685f90ebfd52dddbf6eb0d595a321d3d63204df55c2a23a6472a742

C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\0x0409.ini

MD5 a108f0030a2cda00405281014f897241
SHA1 d112325fa45664272b08ef5e8ff8c85382ebb991
SHA256 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512 d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

C:\Users\Admin\AppData\Local\Temp\MSI82BD.tmp

MD5 0e6fda2b8425c9513c774cf29a1bc72d
SHA1 a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256 e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512 285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

C:\Users\Admin\AppData\Local\Temp\MSI833B.tmp

MD5 a1b7850763af9593b66ee459a081bddf
SHA1 6e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA256 41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512 a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

C:\Users\Admin\AppData\Local\Temp\MSI834B.tmp

MD5 8bd0092b3561d926e98e0f8836a744e5
SHA1 db75ca62c6bd40b5381a4edc49ff516a8420fc94
SHA256 c9dabf1752ab3d0ab1f88cc6aa5cbf37ac95f4f5fee3acc78b7f3d6118492049
SHA512 f1f2a102fc6c714256fa9095c063f5d0e40b89397c938bc2bd9b9f3d97a8a5b3773f2050eed9c1e50b4430049ed21f1fd128ff70a13f1ba78a6f7eb3641fbbea

\??\Volume{e35ef0ed-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{338fbb2e-7751-42e3-8af0-c1698cd6c9dc}_OnDiskSnapshotProp

MD5 543f3f87de4b66becfb7d62c9bc70939
SHA1 6d2a22b9d039428b8eaea4f31fed798fb231b10c
SHA256 d7aa45f96525f77af8442397fe03cb59a1176104f651236c3048ae1d2eaa7dcd
SHA512 61e11d054e9f16a9f999834cc7f7e10cd91cde4d4174ee9001fedd289937aacb7493c66a850b1b3388f91b46f1555cc0a563400234fd4c63d3fa4948f5552c9a

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 86c9262f8f4a99594529440695576ede
SHA1 d3cdb921d30abe8263aa87f051150fc583b24023
SHA256 39750700ba988952aacb37948932cc7d488a257f49ed9e82e3be1ebd48756f2b
SHA512 3526eda4d5c95e82a51a88c1a0d58c0f8a176a86758cc16d78ac61fecd35b419e1542eb4e184bb7fec27a31a7d5b58843783adec2da6edb804ef8b3db45e00a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2

MD5 3de57e3ccdd9b8db1f0e7c725bf2aa7d
SHA1 8fb59a6f70ae52073ac80d8ca234228aac77343c
SHA256 2ad53da1ca034894ed0a55571c739ed8750a35aa51b99f235e90f65157cb21ca
SHA512 920abb22be2f3fc0feab8d22361cb07c9bc0d3c4e87e9a8025bc95ad207d1783d80007fb884a9861be81a93c9936e23972b49f19d715861b9b669356ceed3eac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_4A7691C1648DCD387ACE7856B33599A2

MD5 1a83151b0d2ab208ec2a2ea56cdb0eb7
SHA1 6e66213b8b67b37df43f3d12c2e341bac8d1528c
SHA256 b6cfb7db005b9445a1ea02d4da34884696bb24296f342da11bd0867460023e5d
SHA512 82351e8b04608832679b542b778e25e620e3ae726b4c44fe2f6decde7b3acd075f944dd8b6776bc5c195a93e31f96395aa4f4df3905e4edb982d4a86068d5353

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 fd8a20ae034c688d34c65d0899328dd0
SHA1 d8d1418441e290da13c08a0a53842995c3431779
SHA256 c31307defd1c468c6351e78fdf977f2bad54d495645596af99834d55f596cbb0
SHA512 707110747b13354c6fa82d82534cab8b3b0dc3b06b94494a4ad576b5d28960f00e3aeadd6ac07b99a0e9dda0765ee08e2d6b6b5b2cb13deaae48043b506f1e7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 10cc21cb44bdc0739bb1d1a583115e6d
SHA1 7935ba27b0cd094b755cadebe578fdf44a2d966e
SHA256 0fea1a4b34f134d4fece9d1f527cb2ba1a9d6e25f9c818aa477d91a85a2f64ff
SHA512 4cfd038554a7df256d6e0ec7cd6ad28033a6595c1c28e2ee1a1f576fb659c4a673b436e31b10db826f6379abab660387efc70874f2b41d8dd8c820d9665721cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 e4b82021432532761b974e337ed0e76d
SHA1 eafe08bf9c38219e7c31f3e4de10eb378cd6a85c
SHA256 38a941ac9c4ecda3d20b0823e81f2521f8f61838f7d60b69998877c7fc95a493
SHA512 430707c940340ffba8ced7ecdee071d1a9b8d54437df37f6878061c6eaff06bfb44f04435e37b6f8f238e9aabb3c3e72e4b63f83cb51033ce5db452c78f75eee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 c38991168ea2c93ea96e25856fab88fd
SHA1 bf25e8dc7514f43b853438bd1bd9bd6b08f62f1d
SHA256 dc56a066883d74d74adf7bddbd1dbfe85ba443279501927656426d6489c370ec
SHA512 44421b2e906504961da5108f469e1caba1445f8c270ebf79f9af0d2138d49ddc0a8c70766bb64c0e59b7f263e7b5c296138d3033d7a6234e89b5db070aa3b5cf

C:\Program Files (x86)\NetSupport\classroom.cloud\WINSTALL.EXE

MD5 c6b9f3f79923b253424465b4055bdb28
SHA1 3744a1f6b0e9222ed6850d021016eca0b10bc519
SHA256 ec764c26475e1c9620b642c8807142bfdb72e85e1e8bdc87cdfb0e43f90a3b62
SHA512 ecb7738dcef64b3b62a708565c08a8302629a47fdd26f8630ba6359ba413e93b2c96719cdf9c8c5845d1f0d61a69a34dab84431fe6d93a249ab982d7348e57d1

C:\Program Files (x86)\NetSupport\classroom.cloud\SHFOLDER.dll

MD5 e82daaf3a38c76f3e1cd3378cdafbd64
SHA1 dfbf9cee2aeac45881bcf764946f54ddc5014df5
SHA256 c1c03df6cb83b1016ff3f470513f7179c8ff0d7ac7a70f7efbdee13e3dfecb1b
SHA512 2ea546a44eeefbf90aada2275b53dcef14ee7eef193451f669fa7bfc9af0dfba0ba042cbc95e1557b51b22b2a26dec9ffd1daa5dbf17238c6c6852adf71ba9b7

C:\Program Files (x86)\NetSupport\classroom.cloud\product.dat

MD5 1776504eea61cb14d645e4ecf7f66fed
SHA1 5902f0fa83a830bfc9d1befa3583330354389a26
SHA256 ebeabcbf16e7a50062ca7271a94359b5e1a648d84ab14e05974a293c56740bed
SHA512 e396290024f37579886f07e8924ba0ad5c95818fb3d7dc24263684a72d97ff0cf9eeaf85498d28bf22d8beb2c4c08eeea08839b26259b243cc3bae39eb851710

C:\Program Files (x86)\NetSupport\classroom.cloud\pcimsg.dll

MD5 0880c1c48690981c8d06831956ebf69a
SHA1 f112137e17e5e5c69567c431f993c338b6fc3422
SHA256 dbf281d1a065ea5e3162f01b658910a39f70f24523d9d6e0ea11535055120d63
SHA512 97805f65041d2fc8e2f49795cd2a9a9216dee43463112a7576e78bfb595e7b74da7121652e8bf6a8c04fbfde4c7671c4810b748b693a523d285d307eeeaaaaa6

C:\Program Files (x86)\NetSupport\classroom.cloud\winst64.exe

MD5 183a205187acb2b5313800eb7200654f
SHA1 3f71e3722409a256ea8aba277e9b459906abedab
SHA256 5cd1f3b175ff2a492fe581ad80f83affac3b6bf17602a06f4c5f2368373a5774
SHA512 39b0ac5723df4fb480d2af1b4ffdbdc52ba3d5e6f78d8d33b954c36f3f69954645625278116a24691f5ef2b4ef0ee08e39c592175f503938fb4f5418c2d6f53d

C:\Windows\System32\cicclient32provider.dll

MD5 e02af20e191ff09db3c186066cc1375a
SHA1 0de9c222ce3568324603b2aec3057bf7ac8b10e8
SHA256 5d7ed783f3d533a687877da91f9d6fd8393994206349503d8ccc419de9ed9fe6
SHA512 df532d321c70512355e80821fe08570da1363a72ebbeb288ae91dcf3ee50544b1f9d4a1f895b1e1305eedc47ed0c6db9e0625cfbf1202d5d71d3516dd1a3fb45

C:\Program Files (x86)\NetSupport\classroom.cloud\WdfCoInstaller01005.dll

MD5 f9cf2db8b99dc50eab538c4d860ac1a4
SHA1 b261c9e7f082eb8649afab9a677e022f84fd2823
SHA256 865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
SHA512 59660740b58b1761a4658aeb02f669f1fd8a3fcb07c162a86b9565c5f9219cb993cc9d94b43b1d39edcd5032b478b8a9b3a388fb82449ca82a83e3c6dd94c02d

C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.inf

MD5 344e5f94494802ff38fa02cec9ab8e02
SHA1 fb16f5357725ac40a00a608be0bc522c2b0544ea
SHA256 f6f1c23bf836f7773de21292e6aebd86568993f995c0cb799a63151a67e05f12
SHA512 0cb6e4ac146f4352249ecf29cfe7eb3c3105342fdfda8e6ca9e23abbf1cba179fa3a9f62b992ac700c65d6234a1679d3790f40ae948cc5e5b01443755a36f5b5

C:\Program Files (x86)\NetSupport\classroom.cloud\nskbfltr.sys

MD5 35c66ae99109a44804f5ea8032d1377d
SHA1 6f769b861db4595d15733372fd4932dc226b72af
SHA256 f1b455de2ec03091d0ed0d27c7e8428931208d9b3fcfc91b13b1a3eb55235064
SHA512 55ce58e56a9dd1de898940bbcc79b120f1df87eb39a1b5882134478bc7f7cfa7ea3fe2038bdd573fa6a2930594f53310e8c3f02f6d32ad14af985d89174f82a5

C:\Program Files (x86)\NetSupport\classroom.cloud\cicStudent.exe

MD5 ffa0bb22a09efde0dc53cee4ad7761ce
SHA1 9213940d26e0d98afcd33ac3d3e021f3b99f50a6
SHA256 70d8dc0d4f6c2c88bef7f8a18da833ae9c99d6da8a3b253f12fbfb91eb75b7f3
SHA512 a2853aff65a297254188a2ed64ca9e1d81daaf037fd48a9d97764d1e8e90e294ace33fb4ee1151fce086299b5ced04854758f7fd6f16b5ebc25d64ea6f399f34

C:\Program Files (x86)\NetSupport\classroom.cloud\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Program Files (x86)\NetSupport\classroom.cloud\PCICL32.DLL

MD5 6fa0e22d7e5d4ee737878290035a0267
SHA1 5099b37c049fa3a91a63611535429fd18adb5c2a
SHA256 79bc3ed1a07c0119719b7875865162293df573c540edbce7c08e47325c362dcd
SHA512 ab5b2d0d5b862c2b9cca9e9a1e3590281b5cf94fe69ca322e335e8d59d85efebcd098c115c5a4ecf1aff6dc0acdcddc6b68ba62d4144eac3044e0df4f4f1a39e

C:\Program Files (x86)\NetSupport\classroom.cloud\pcicapi.dll

MD5 bd5def2b91eaf52eba3a33eeb67cee48
SHA1 6cc6d4b8379cf2a59a770110d17b1f5a531a4a05
SHA256 6ebc2f4a6962793da3d7cffcda8f0246be8c9eebff3591d021279b482c08926b
SHA512 6f203908aa2002282cd66eb52d2a1473248afb92ae419d0d04352604c580f34308f485f9283a5b83aeb7742c2e9cdce6e3354935f226667cd5c2ba266430e975

C:\Program Files (x86)\NetSupport\classroom.cloud\PCICHEK.DLL

MD5 c82ffe193bfb7a4e37d84c6f69128054
SHA1 b3429dc37d021432e5d47e0a2eb087268e8d1e6c
SHA256 ef64a39c59562b1a731563b7c688fae45c3e8f355d402c7ebc80f19aea09f9ef
SHA512 aa3bc90c072c8d9da93e55d026459930338cc083491e3c42782adc4c06cd25f16136369c63ea3252cadee5ec62e3e3b8f06b1bbaa82a8f6838d6be3e36ed7b18

C:\Program Files (x86)\NetSupport\classroom.cloud\PCIRES.DLL

MD5 3cb1b4875e0115df4acf16f2d9afc195
SHA1 1c869c11c8113b39e7291df1bc4283d6062be810
SHA256 97b0de6aff804f5634b7453b6b27ee5a2d78ab2781c9cbf59a45b8a2f6e783d3
SHA512 86ec315a960ad0223d35b569927df60939109ad4d9d1f20fa990e493fb3c25a2240196a9c852ecfd4967d01d4bd39f9f6e07dace2e70a50975fde8ee1c05e2aa

C:\Program Files (x86)\NetSupport\classroom.cloud\GetUserLang.exe

MD5 231413407e88a179ea9a7889305bdc8d
SHA1 d6031475fb06cc401352be605a4ef70c89a0c774
SHA256 9a70110c7d0d1366c21e5acc69498cc67c87aef96ae67c7fb37314243a23a5a7
SHA512 12cc1f4acec4159a86b76a08661ed8ce583b24ecc1a7da734e52a1416a02a330937cb1eae6b098fc8d7b69b89a651c54146de4185e6d8db4cb9790c66f658725

C:\Program Files (x86)\NetSupport\classroom.cloud\rootcert.pem

MD5 3cdcf8f9b05de85c7e7008e7f4a70123
SHA1 4f2c894e8c86200efcb93ad0ebd85296d48f360c
SHA256 27f2bfa146d2d50ae0694bc4d0fbec7e47642396099fc078e4b567048e7a439e
SHA512 93f240508610c8cabdadeaf35049204d65985c10f6e3e44a6acef1ff0da62993460e35a6ed3e5b442e32ac751312efe4f03b6b1104b0adb5beb653d71750d3e6

C:\Program Files (x86)\NetSupport\classroom.cloud\CloudConfig.dll

MD5 233d6c47b7c38c84c6795c3fe173525e
SHA1 02b87df7cff7f9b484f55c4e451bbd49d4f402ce
SHA256 9d6bd498a54d006a3d41499b8442df15d4e8ef5083cda4ed4620014ce057989c
SHA512 023a184f978ddbf8be714ae1437bc1da59fdc5cfac0e1ed13befbb09004951312a8fa7d30fad66e6641ec3b0ce0568c2899f1343e4f6da9ae23d4975c82063f5

C:\Program Files (x86)\NetSupport\classroom.cloud\MSVCP140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\admod.dll

MD5 f9b4a682ca1fc4d2ea21634a034edae7
SHA1 28532ff051fe208d1d75e3bf413cc55a65d128a4
SHA256 c1959663aa2fd4614553bf14bd0805455b8140e8c271b9aea01fc00339ed63c1
SHA512 3067c7a0ea71873f68ad7b830283d3a4de5e6db161c2701c1b1f80eb6b747bb511cd748a9360127afcf01e87bbd8c39862fbb8b2ddaccf403a79c2b382d850e3

C:\Program Files (x86)\NetSupport\classroom.cloud\concrt140.dll

MD5 092b95b9308e2827a3b1598add0e306d
SHA1 10321c34bbe5982c3005188afa94d1ce73964f2e
SHA256 a3cdd51d7a6260e352ad6de5451f4164228ef8150c77c02e5dab3b38f964307f
SHA512 20464945cdb7662e4d9f2226ad5e32ff5cff53f08e803bac1cd0a45063534e5b12aacd5661aedfe8ef5064ff56d6b147ecb9430d17e2d9ef4bb13fb7626c01cf

C:\Program Files (x86)\NetSupport\classroom.cloud\cpprest_2_10.dll

MD5 98a75771d452d5d5fafb9bdc091c512d
SHA1 67a0e43a56a15082453a9d4940e832155a3057c4
SHA256 fa87e30988d3f55399042a2eae90eae0e1934cebd11c6e10168fb40a0395da72
SHA512 9dd3d0ed053976379b96064d14c1246df0fc6e09a2683d79d6c005622f5f64e208e45fa75df41e9854671ad093c9b4c8f2274aef623173e36f553733866e3c39

C:\Program Files (x86)\NetSupport\classroom.cloud\vcruntime140.dll

MD5 8e65e033799eb9fd46bc5c184e7d1b85
SHA1 e1cc5313be1f7df4c43697f8f701305585fe4e71
SHA256 be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4
SHA512 e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

C:\Config.Msi\e57c842.rbs

MD5 6c5d0a9782811cf2976b18be3cbd1130
SHA1 1a10a7890bc13a54d387378da8911bed6dc874bc
SHA256 4f6a6ec7c61ee748cac13076aa7fd4a8f66bee425747b29fcb26a31ee92729de
SHA512 ea5c368f969f5cd42d910bb5c0db1cf89802f48b6a0ca171996040256ba7058c00ae3fee5304806ee4526f901c354cda7598aa706d7135c355bf650d00103ce0

memory/1200-541-0x0000000000510000-0x00000000005D6000-memory.dmp

memory/1200-544-0x0000000000510000-0x00000000005D6000-memory.dmp

memory/1200-543-0x0000000000510000-0x00000000005D6000-memory.dmp

memory/1200-548-0x00000000770F0000-0x0000000077342000-memory.dmp

memory/1200-562-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-569-0x00000000716A0000-0x0000000071712000-memory.dmp

memory/1200-576-0x0000000071180000-0x00000000711ED000-memory.dmp

memory/1200-575-0x0000000071180000-0x00000000711ED000-memory.dmp

memory/1200-586-0x0000000070FB0000-0x0000000070FE8000-memory.dmp

memory/1200-607-0x000000006FF50000-0x000000007000F000-memory.dmp

memory/1200-606-0x00000000703B0000-0x00000000703E1000-memory.dmp

memory/1200-605-0x00000000703B0000-0x00000000703E1000-memory.dmp

memory/1200-604-0x00000000703B0000-0x00000000703E1000-memory.dmp

memory/1200-603-0x00000000703B0000-0x00000000703E1000-memory.dmp

memory/1200-602-0x0000000073C30000-0x0000000073D05000-memory.dmp

memory/1200-600-0x0000000070550000-0x000000007068A000-memory.dmp

memory/1200-599-0x0000000070550000-0x000000007068A000-memory.dmp

memory/1200-598-0x0000000070780000-0x0000000070C03000-memory.dmp

memory/1200-597-0x0000000070780000-0x0000000070C03000-memory.dmp

memory/1200-595-0x0000000070EB0000-0x0000000070FB0000-memory.dmp

memory/1200-594-0x0000000070EB0000-0x0000000070FB0000-memory.dmp

memory/1200-593-0x0000000070EB0000-0x0000000070FB0000-memory.dmp

memory/1200-592-0x0000000070EB0000-0x0000000070FB0000-memory.dmp

memory/1200-591-0x0000000074F70000-0x0000000074F99000-memory.dmp

memory/1200-590-0x0000000074F70000-0x0000000074F99000-memory.dmp

memory/1200-589-0x00000000721A0000-0x00000000721DB000-memory.dmp

memory/1200-588-0x0000000074440000-0x0000000074AE2000-memory.dmp

memory/1200-587-0x0000000074440000-0x0000000074AE2000-memory.dmp

memory/1200-577-0x00000000724D0000-0x0000000072955000-memory.dmp

memory/1200-585-0x0000000070FB0000-0x0000000070FE8000-memory.dmp

memory/1200-584-0x0000000070FB0000-0x0000000070FE8000-memory.dmp

memory/1200-583-0x0000000075530000-0x00000000755F1000-memory.dmp

memory/1200-582-0x00000000769B0000-0x0000000076A14000-memory.dmp

memory/1200-581-0x0000000072270000-0x0000000072297000-memory.dmp

memory/1200-580-0x0000000073D20000-0x0000000073D44000-memory.dmp

memory/1200-579-0x0000000073D20000-0x0000000073D44000-memory.dmp

memory/1200-578-0x0000000073A30000-0x0000000073ADF000-memory.dmp

memory/1200-601-0x0000000070550000-0x000000007068A000-memory.dmp

memory/1200-596-0x0000000070780000-0x0000000070C03000-memory.dmp

memory/1200-574-0x0000000071180000-0x00000000711ED000-memory.dmp

memory/1200-572-0x00000000711F0000-0x0000000071698000-memory.dmp

memory/1200-571-0x00000000711F0000-0x0000000071698000-memory.dmp

memory/1200-570-0x00000000711F0000-0x0000000071698000-memory.dmp

memory/1200-568-0x0000000071720000-0x0000000071807000-memory.dmp

memory/1200-567-0x0000000071720000-0x0000000071807000-memory.dmp

memory/1200-566-0x0000000071720000-0x0000000071807000-memory.dmp

memory/1200-565-0x0000000071720000-0x0000000071807000-memory.dmp

memory/1200-564-0x0000000076AE0000-0x00000000770E2000-memory.dmp

memory/1200-573-0x00000000711F0000-0x0000000071698000-memory.dmp

memory/1200-561-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-563-0x0000000076AE0000-0x00000000770E2000-memory.dmp

memory/1200-560-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-559-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-558-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-557-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-556-0x0000000077350000-0x00000000773CC000-memory.dmp

memory/1200-555-0x0000000076810000-0x00000000768EF000-memory.dmp

memory/1200-554-0x0000000075380000-0x00000000753E4000-memory.dmp

memory/1200-553-0x0000000075380000-0x00000000753E4000-memory.dmp

memory/1200-551-0x0000000075280000-0x0000000075320000-memory.dmp

memory/1200-549-0x00000000770F0000-0x0000000077342000-memory.dmp

memory/1200-552-0x0000000075A70000-0x0000000075B2B000-memory.dmp

memory/1200-550-0x0000000075280000-0x0000000075320000-memory.dmp

memory/1200-542-0x0000000000510000-0x00000000005D6000-memory.dmp

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_po.enc

MD5 c0b213079929efb3571a0d8fc1645909
SHA1 197184e3ec72e9cf6a2e6b0dfa6abf39d145b90e
SHA256 64608d9fdb41cb2f89c86a5fe6117d23f7b9b134a965ff2294c94b99640ea2c7
SHA512 fe52eaeacf68a46c4acdd529ed7677f498a41769a731de37218e3e0313ee57a81a1fdd87af16f6848b0e3eab2184162bc9dd422f4bd17030388265ea9d62e2b2

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_zh.enc

MD5 c8d510b9e1b084333f40a054d404884e
SHA1 67ee32911115462be0b0aebb728cacc5bcfb5b88
SHA256 e2b3503180fa40362c1ed983852ff32dcffcc71fed05d3197c7a9996eb820f85
SHA512 bdac6796fcb7f00f84375cecf1a5cfaec39afbb78956514f5a7d2c0b7b8bf55599669e571cfc856cf683dcc8a417b19bae99c76598594c9cdd647dc72ebf80b8

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_we.enc

MD5 ff4999b039e8bdc4bf2e94f362617b16
SHA1 4d3861a3b77dcf59f774257c54f62a0d51d328aa
SHA256 82ae7b76091d42f0a59b53150b184bd77f08ecb085e5e4d608a757a85dff5928
SHA512 6b9c679b1c408260bc810550b2e3b3619f2c8aad2cf9d5f0517806f1c216d5cc0a2c314ab6d1a0492306dff0086fa0edf1da4ebc482e16ffb2250a59bd235c6a

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ur.enc

MD5 117e651c518b35cd481eb176a960bdde
SHA1 882bf297863f1ec7ff344c81c07ef1ba5fae3c18
SHA256 a5be60b9aad89d39d65f0a354afc3fabc9e869a8dd342a3a70abe1b2312e79bf
SHA512 fa611903e6f2f43f3650c58ca7c879eff86626b641746a677b5729dc05570759f8f3a6e793967e713a96ed2afb25583a46e458a4786d1a44ef5a78da768d8017

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_uk.enc

MD5 7a858a62fef9760a753b9cb07716d40e
SHA1 644690afab612beb06a22b673fb024b14f341c15
SHA256 6aa3e5de0a176d25570fc983315089a6a66a228c6298bd020de424120216edcc
SHA512 5dc76020b04764ad268d52ee4fd623d40573ea9e9fee831acc7dc9dff15857d7fb85cb6260ac64fde718d6874759680e533f7391ff02e2e1b536eb7f96192da2

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sp.enc

MD5 e577c17c4891f703630d83a5315abf6e
SHA1 91a0f7f86cc1043d6e8abe8930e66bcaec890865
SHA256 c57c19305cea56e33c7bfc204379d20ac359ac84da737c64612a91481acd068d
SHA512 ef8f985118eb0b8da75516e9ce097e16bf0da05fe08d51b8d48cce6c61f3a09f44f5b41cf76a116b026e02546e686fb3b62042c9fc4c5c993849fb9272f4f2b9

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sl.enc

MD5 5341bb2685c89d671fa628ca8c0def05
SHA1 5babc0927c18d9a37987e9c23ddc950951a59c0e
SHA256 536e984e070427f4bab27023def839c8c58d834acfb72e06c25167b0540b1394
SHA512 20567a4a3d215ccee097ef94e521b70c9f8eca54983103f4469aa4367b426afdef954fca83dba9305d48201682c37eed845886761e1ffa0023b8b0768ccbcabf

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_sc.enc

MD5 bba65f31222c17a1853c5fb9a1ba4e51
SHA1 24941c2361f4db7aaad352103030178d73a39206
SHA256 2d5334ceed6b603e3d18cafefcffbb1c85694202625d23fcdcc23615e31b185c
SHA512 bf08cd5d78a70b5f313cf736f9c01d9225ab6296a5cf3b411fe39ece69d9f8caea0cac16cc91d610ee61fe0088bcbc1f271478fce60f2aac7b2ceae1f849a632

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ro.enc

MD5 212b239eb6604dcac0a301d6e14a59cd
SHA1 d70eb5504fb7b27295597abe3de9cdbcacd03f90
SHA256 f2157184a435ad69adcd4d8087b2839707cc9ac33b0f927e8b0de32c7b16b0e3
SHA512 b4b3df80bc9d553035633eea773a3c54e4f1e11f145d71573bbdd90090420fab4c3d49edeaed5478348520110c28dd2cec626640725c323f0f1c394802c9597c

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_nl.enc

MD5 6cf754a46adcd324d7c93593e2d22518
SHA1 f3d75e427bf61151442a129fce70c78a4937cc79
SHA256 cf5eaca01cdbc596fa6d49bfef07f94a9e21b9bdcf8e661fb777aa35ffa43089
SHA512 0e44bd204daf8ee0ab225fe0dd828cb1e78a81725f3ab2d20e85fac1a0efa13ff2196433149ca31626be59780f7a542e9f917d752fc4999e018cd411b406eff5

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_pl.enc

MD5 21b301bbb8f88d75d893d475d8f657f6
SHA1 33afab1c540a11269cc5f46c9a3270a85d460958
SHA256 5ccab2b8a6fead9a8790f1a109d6f6b8974ed3c99c3778d4ce9b1b3d58968748
SHA512 b584564a1cb9204bf23f3f20ab2fcb7525463c9adcf1589b1eced7f7cc0f32128016364b1ab638546001bf20b430d56c87168559ce34c3365b86385563a35bee

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_lt.enc

MD5 5a604969f3e3635fb05a95ead6f6249f
SHA1 c9650a7ba71b6a81bd805b2970eaa509f7a1a8fa
SHA256 412f367ec28f2e76939ff86f1d0f269596a4885a4bdcef26e5295e75917be429
SHA512 c1e07bc1dd47cdd07724eaadd35f46cbb5bcfff1a0cad4c16ec23ce9edbb9bbe69100c86937dc02718bd1bf3da4a22c9736d497c0f1d29da180f2608a129e904

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_it.enc

MD5 fd1148acce98cd2d51c3f97c8c3c14c5
SHA1 ab1b65ed5bdd8be9978578f639654f7de3f1209e
SHA256 81f52395f8e25205af1133c69dea1cd40a9c55ed9e15b374260f0b22a7281e42
SHA512 ef9d9d1f585cc96ffaab4fe745770de6394ec2c091c72760b6f0b7c69a82b88e5143affae8fcdd0e514e680354573dc46ce4d308e5bf1918f93b0aa896261420

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_ge.enc

MD5 182a16b7281dafe1f3f18cdae50517b3
SHA1 a1b09ceea9d4be113774091afe6c64f688d14777
SHA256 e8f264a5cb5376c300fa151c7bded92d410cbb76aeee67772e240daaf7208255
SHA512 76dbf7ec2235a86cbf56d4b3cd943faacff95861786cff53f50869342883e1e7d4933ef20dfb1d081e41e2509c5e28d7c7b8757e44f1e24896a5dfff4c7dc1b3

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_fr.enc

MD5 8115ab34ef0cc4797b814378d6e5d68b
SHA1 6836e7ce359605459d770e07c91b9055ae11a6f9
SHA256 d84f5e874237c70e4f5643b4e60fbb20e2a2c6e2510e7c169e9de53b6676048f
SHA512 4622e8fa15740f7269300741645052bca226162794886dbef05b6860af5dc88a820d4b9ff0f2344736472cc2287609002d5829f8481b0a15e18a029c265aa9c1

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_cz.enc

MD5 a61e06cf390215db0cbccabd20a88543
SHA1 b4be0f456fbc5f143344e2563f167a32c418d739
SHA256 7039caeac8385590c84003fec2d373f9dede911d853206743236ecd65f493e40
SHA512 f99633b056ca0b3a167e386a9d6a44cabf6c5383b48698f9ac5e1b28cf88280058ae62698a2d0e1175bd623f558a51ca520d6c252845a0d8fc7998a36d81a380

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\Phrase_ar.enc

MD5 0501c0cb6cb497ab6bdcfb4424295442
SHA1 d31d676024be5459f0d74a92e7bc22311a6a0fe9
SHA256 73177341059297bf68283667bb03e754d86e8782a5a3b96e55e7d2b7422f6472
SHA512 0c16c620117d1b939f9a09bd6e9eb6cb2022016a15e36ca93b0faa328a11345e308795c3e96eedc6379c296dad7da505cb6e05be02bca1057d3d478c1bfc131f

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\phrase.enc

MD5 d49157eb1caaa84fdfac88628f8134ea
SHA1 ea22715e2a9d66c74ea55b6ffe46a1555b612356
SHA256 e8625a6883d63407c2a7897f93701bbc488db0c2b52519b8be2b6928c669ab6b
SHA512 80c32dcdf64f19c316adcf92b9c5ca2dd6d50607479b1c43058226c8b4ed9a219087d246677cafe534799bef28ab3fc825cd3ab14db7792bdaf677c6aaa73830

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\Cloud\phrase_lv.enc

MD5 12cb5b2c2d6acda63bbdf7242b8c38c0
SHA1 20eb3eac8df0266826295f8c2638d5a6908132f4
SHA256 63c7b0401663812ed8c9c78b84b44d603b62e48d395542efe3394c48dee6582f
SHA512 a65886565b6242d56ea438ec000568eebfefc188099d25df4cfa91de2f51c07aa1862ae7865b6fd16b621cfd3f0567bdc738437db4a7d4692436f86fd20e10b7

C:\Program Files (x86)\NetSupport\classroom.cloud\Safeguarding\bin\SysQueue.bin

MD5 c4103f122d27677c9db144cae1394a66
SHA1 1489f923c4dca729178b3e3233458550d8dddf29
SHA256 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
SHA512 5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

C:\Users\Admin\AppData\Local\Temp\{4C3342CF-EB67-4A71-BFC3-D00A17C2C999}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b