File name:

ClassroomWindows.exe

Full analysis: https://app.any.run/tasks/87075010-7396-455c-8e8a-875d4f1af998
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 07, 2025, 09:47:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

60D84A519F2B557390F2AC91AF36F404

SHA1:

57516E03F11D3BB2CD3937E5E8F1A76962000C1D

SHA256:

D7C847F683152CA27D6680D66CC38CB3ABFD3EC66814E805218A45237EE61C3A

SSDEEP:

24576:WG/bxsvnZPix36eS5JhvdStYRa9HXee5ihvdStYR09hE:TbxsvnZPix36eS5JhvdStYRa9HXee5iL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ie4uinit.exe (PID: 7232)

    • Steals credentials from Web Browsers

      • setup.exe (PID: 7856)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 6288)
      • PLUGScheduler.exe (PID: 9584)

    • Application launched itself

      • ie4uinit.exe (PID: 7232)
      • setup.exe (PID: 7856)
      • setup.exe (PID: 7920)
      • setup.exe (PID: 8032)
      • setup.exe (PID: 8980)
      • setup.exe (PID: 8688)
      • OneDriveSetup.exe (PID: 9152)
      • Skype.exe (PID: 3076)

    • Changes internet zones settings

      • ie4uinit.exe (PID: 7232)

    • Executes application which crashes

      • ClassroomWindows.exe (PID: 4392)

    • Reads Microsoft Outlook installation path

      • FirstLogonAnim.exe (PID: 6588)

    • Reads Internet Explorer settings

      • FirstLogonAnim.exe (PID: 6588)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ie4uinit.exe (PID: 7232)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 7296)

    • Executable content was dropped or overwritten

      • OneDriveSetup.exe (PID: 2800)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 2800)

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 3076)

  • INFO

    • Reads the computer name

      • ClassroomWindows.exe (PID: 4392)
      • setup.exe (PID: 7920)
      • PLUGScheduler.exe (PID: 6288)
      • setup.exe (PID: 7856)
      • setup.exe (PID: 8032)
      • setup.exe (PID: 8688)

    • Checks supported languages

      • ClassroomWindows.exe (PID: 4392)
      • PLUGScheduler.exe (PID: 6288)
      • setup.exe (PID: 7856)
      • setup.exe (PID: 7880)
      • setup.exe (PID: 7920)
      • setup.exe (PID: 7936)
      • setup.exe (PID: 8032)
      • setup.exe (PID: 8064)
      • setup.exe (PID: 8688)
      • setup.exe (PID: 8724)

    • Reads security settings of Internet Explorer

      • FirstLogonAnim.exe (PID: 6588)
      • ie4uinit.exe (PID: 7232)
      • ie4uinit.exe (PID: 7296)

    • Manual execution by a user

      • FirstLogonAnim.exe (PID: 6588)
      • unregmp2.exe (PID: 6444)
      • ie4uinit.exe (PID: 7232)
      • unregmp2.exe (PID: 7664)
      • chrmstp.exe (PID: 7708)
      • setup.exe (PID: 7856)
      • OneDriveSetup.exe (PID: 9152)
      • fsquirt.exe (PID: 8848)
      • mspaint.exe (PID: 5548)
      • Skype.exe (PID: 3076)
      • msedge.exe (PID: 3564)
      • wab.exe (PID: 9804)

    • Creates files in the program directory

      • ie4uinit.exe (PID: 7232)
      • chrmstp.exe (PID: 7708)
      • chrmstp.exe (PID: 7768)
      • PLUGScheduler.exe (PID: 6288)
      • setup.exe (PID: 7856)
      • setup.exe (PID: 7920)
      • setup.exe (PID: 8032)
      • setup.exe (PID: 8980)
      • setup.exe (PID: 8688)

    • Checks proxy server information

      • WerFault.exe (PID: 6304)

    • Local mutex for internet shortcut management

      • ie4uinit.exe (PID: 7232)

    • Reads the software policy settings

      • WerFault.exe (PID: 6304)

    • Application launched itself

      • chrmstp.exe (PID: 7768)
      • chrmstp.exe (PID: 7708)
      • msedge.exe (PID: 8108)

    • Reads Microsoft Office registry keys

      • setup.exe (PID: 7856)

    • Process checks computer location settings

      • setup.exe (PID: 7920)

    • The sample compiled with chinese language support

      • OneDriveSetup.exe (PID: 2800)

    • The sample compiled with portuguese language support

      • OneDriveSetup.exe (PID: 2800)

    • The sample compiled with english language support

      • OneDriveSetup.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:11 19:24:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 496640
InitializedDataSize: 210944
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.5.2.2
ProductVersionNumber: 3.5.2.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: ClassroomWindows
CompanyName: Lightspeed Systems
FileDescription: ClassroomWindows
FileVersion: 3.5.2.2
InternalName: ClassroomWindows.exe
LegalCopyright: Copyright © 2024. All Rights reserved.
LegalTrademarks: -
OriginalFileName: ClassroomWindows.exe
ProductName: ClassroomWindows
ProductVersion: 3.5.2.2
AssemblyVersion: 3.5.2.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
348
Monitored processes
98
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start classroomwindows.exe werfault.exe plugscheduler.exe no specs firstlogonanim.exe no specs unregmp2.exe no specs ie4uinit.exe ie4uinit.exe no specs rundll32.exe no specs rundll32.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs msedge.exe User OOBE Create Elevated Object Server no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe msedge.exe no specs wwahost.exe no specs User OOBE Create Elevated Object Server no specs fsquirt.exe no specs mobsync.exe no specs backgroundtransferhost.exe onedrivesetup.exe no specs msedge.exe no specs wab.exe no specs msedge.exe no specs onedrivesetup.exe systemsettings.exe applicationframehost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs plugscheduler.exe no specs dllhost.exe no specs gamebar.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs mspaint.exe no specs skype.exe skype.exe no specs skype.exe no specs skype.exe reg.exe no specs conhost.exe no specs skype.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs skype.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6644 --field-trial-handle=2188,i,2241890063895465726,16974308154531949613,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=728 --field-trial-handle=2188,i,2241890063895465726,16974308154531949613,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2668C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgIdC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2800C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup /peruser /childprocess C:\Windows\SysWOW64\OneDriveSetup.exe
OneDriveSetup.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft OneDrive (32 bit) Setup
Exit code:
1073807364
Version:
19.043.0304.0013
Modules
Images
c:\windows\syswow64\onedrivesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2860C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3076"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.104.0.207
Modules
Images
c:\program files (x86)\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3564"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-startC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeexplorer.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3956C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgIdC:\Windows\SysWOW64\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
73 263
Read events
72 054
Write events
1 147
Delete events
62

Modification events

(PID) Process:(6444) unregmp2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard\Native Media Players\WMP
Operation:writeName:AppName
Value:
Windows Media Player
(PID) Process:(6444) unregmp2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Keyboard\Native Media Players\WMP
Operation:writeName:ExePath
Value:
C:\Program Files\Windows Media Player\wmplayer.exe
(PID) Process:(6444) unregmp2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Player\Settings
Operation:writeName:Client ID
Value:
{62B0E2EE-6A06-48C6-B1D7-0CA4C9E649F8}
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0
Operation:writeName:1e4389adc72d1376
Value:
2C0053004F004600540057004100520045005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C00430075007200720065006E007400560065007200730069006F006E005C0049006E007400650072006E00650074002000530065007400740069006E00670073002C000000
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map
Operation:writeName:1e4389adc72d1376
Value:
,1,HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,WarnAlwaysOnPost,
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0
Operation:writeName:57fd7ae3ffc55848
Value:
2C0053004F004600540057004100520045005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C00430075007200720065006E007400560065007200730069006F006E005C0049006E007400650072006E00650074002000530065007400740069006E00670073002C000000
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map
Operation:writeName:57fd7ae3ffc55848
Value:
,1,HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings,HeaderExclusionListForCache,
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0
Operation:writeName:0cac0ebdfbfe17fc
Value:
2C0053004F004600540057004100520045005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C00430075007200720065006E007400560065007200730069006F006E005C004500780070006C006F007200650072005C004D0065006E0075004F0072006400650072002C000000
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map
Operation:writeName:0cac0ebdfbfe17fc
Value:
,33,HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\&Favorites,
(PID) Process:(7232) ie4uinit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0
Operation:writeName:0e925ec83d9dc2c6
Value:
2C0053006F006600740077006100720065005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C004D00610069006E002C000000
Executable files
214
Suspicious files
846
Text files
605
Unknown types
1

Dropped files

PID
Process
Filename
Type
6304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ClassroomWindows_332ff8f571d6cb9b6fcab4bc5912f3d36e27de3_10855a6a_56da2135-02db-4c94-95b3-8a627aba801a\Report.wer
MD5:
SHA256:
6304WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\ClassroomWindows.exe.4392.dmp
MD5:
SHA256:
6304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6D36.tmp.xmlxml
MD5:6C41CD1F1DEB65C909269909F4518F6D
SHA256:45AD74D20F3A73869A43D9D7AB4C0BEDAA36C464A6A514B08B304D2D456A73D4
6288PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.042.etlbinary
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
6288PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.043.etlbinary
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB
SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50
6304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6A85.tmp.dmpbinary
MD5:9CCAC9096B8E649A3A0AF38827196E9C
SHA256:F1C23B5A3D7037133A05B95DA1F238B52EA0C790FEB5B9C6AFD9643E1274622C
6304WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:9D20F798093479F671881467576E0990
SHA256:AE8DD76235F30C6A7E82E8E3D1A43ACE16ADB88DFF8C5B2F8D877CB172DE9689
6304WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6CD7.tmp.WERInternalMetadata.xmlbinary
MD5:27678A783ED53CD5F4043DC852D8104C
SHA256:D3482F74655AB6C4B9A169E563C7856F756BF2D5AC9C93935D81A0CB2ED06E1F
6304WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:680B0331A3CC8FCCE16367586EC7A721
SHA256:19F1B5D2C7F62663C14D97578411DC610E5F33E6CE4165977314442435F15305
6304WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
96
DNS requests
86
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6304
WerFault.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3724
RUXIMICS.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6304
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3724
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6436
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7800
msedge.exe
GET
200
2.23.209.58:80
http://assets.msn.com/staticsb/statics/latest/fre/version.json
unknown
whitelisted
5356
svchost.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2144
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3724
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6304
WerFault.exe
20.189.173.20:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3724
RUXIMICS.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6304
WerFault.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6304
WerFault.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3724
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.143
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.147
  • 23.48.23.164
  • 2.16.164.43
  • 2.16.164.106
  • 2.16.164.32
  • 2.16.164.99
  • 2.16.164.120
  • 2.16.164.40
  • 2.16.164.34
  • 2.16.164.9
  • 2.16.164.24
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.2
  • 40.126.31.131
  • 20.190.159.4
  • 40.126.31.2
  • 40.126.31.67
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.5
  • 20.190.160.4
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.73
  • 20.190.159.130
  • 40.126.31.130
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.134
  • 2.21.65.132
  • 2.21.65.157
  • 104.126.37.168
  • 104.126.37.161
  • 104.126.37.177
  • 104.126.37.176
  • 104.126.37.155
  • 104.126.37.170
  • 104.126.37.178
  • 104.126.37.163
  • 104.126.37.162
  • 104.126.37.154
  • 104.126.37.146
  • 104.126.37.152
  • 104.126.37.153
  • 104.126.37.145
  • 104.126.37.147
  • 104.126.37.160
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ClassroomWindows.exe