Analysis Overview
Threat Level: Shows suspicious behavior
The file https://drive.usercontent.google.com/download?id=1UsGIXS_sMBR9tmgSfo0z2d1t22YHmoxU&export=download&authuser=0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Modifies system executable filetype association
Enumerates connected drives
Adds Run key to start application
Blocklisted process makes network request
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-23 16:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 16:59
Reported
2024-03-23 17:02
Platform
win10v2004-20240226-en
Max time kernel
221s
Max time network
203s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicStartMenu.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicIE_32.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicIE_32.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicStartMenu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicStartMenu.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicIE_32.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicIE_32.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicStartMenu.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | C:\Windows\System32\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\System32\MsiExec.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicIEDLL_64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Classic Start Menu = "\"C:\\Program Files\\Classic Shell\\ClassicStartMenu.exe\" -autorun" | C:\Windows\system32\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\NoExplorer = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\NoExplorer = "1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} | C:\Windows\System32\MsiExec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\StartMenuHelper32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\StartMenuHelper64.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Classic Shell\IE Settings.lnk~RFe58b706.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\~tart Menu Settings.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\~tart Screen.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Classic Skin.skin7 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\IE Settings.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\~E Settings.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\StartMenuL10N.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Windows XP Luna.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicIEDLL_32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicShellReadme.rtf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Metro.skin7 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Start Screen.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Start Screen.lnk~RFe58b735.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Full Glass.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Metallic.skin7 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Windows 8.skin7 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Windows 8.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicIEDLL_64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicIE_32.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicShellUpdate.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\HISTORY.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicExplorer64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicIE_64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Classic Shell\Start Menu Settings.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Start Menu Settings.lnk~RFe58b706.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Classic Shell\Start Screen.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Smoked Glass.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Windows Aero.skin7 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Windows Basic.skin | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Classic Shell\ClassicShellReadme.rtf | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File created | C:\Program Files\Classic Shell\~$assicShellReadme.rtf | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File opened for modification | C:\Program Files\Classic Shell\~E Settings.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Start Menu Settings.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicShell.chm | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Classic Skin.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Windows Aero.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\StartMenuHelperL10N.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Classic Shell\IE Settings.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Classic Shell\~tart Menu Settings.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicExplorerSettings.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ExplorerL10N.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Midnight.skin7 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicStartMenu.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Classic Shell\~tart Screen.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\ClassicExplorer32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\Skins\Metro.skin | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Classic Shell\PolicyDefinitions.zip | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e58b205.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58b205.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB34D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\icon.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\icon.ico | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58b207.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{CABCE573-0A86-42FA-A52A-C7EA61D5BE08} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\StartScreen.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{CABCE573-0A86-42FA-A52A-C7EA61D5BE08}\StartScreen.exe | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\Policy = "3" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Exec = "C:\\Program Files\\Classic Shell\\ClassicIE_32.exe" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppName = "ClassicIE_32.exe" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppPath = "C:\\Program Files\\Classic Shell" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppName = "ClassicIE_32.exe" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F} | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppName = "ClassicIE_64.exe" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\Policy = "3" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppPath = "C:\\Program Files\\Classic Shell" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\Policy = "3" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900} | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2} | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppPath = "C:\\Program Files\\Classic Shell" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Policy = "3" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppName = "ClassicShellUpdate.exe" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppName = "ClassicShellUpdate.exe" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Exec = "C:\\Program Files\\Classic Shell\\ClassicIE_32.exe" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{02E6771D-8375-42B9-9F83-B4730F697900}\AppPath = "C:\\Program Files\\Classic Shell" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\MenuText = "Classic IE Settings" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\AppPath = "C:\\Program Files\\Classic Shell" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\Policy = "3" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppName = "ClassicIE_64.exe" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\AppPath = "C:\\Program Files\\Classic Shell" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56753E59-AF1D-4FBA-9E15-31557124ADA2} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C0393554-9B48-458A-B91B-3F684D003B2F}\Policy = "3" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{56753E59-AF1D-4FBA-9E15-31557124ADA2}\MenuText = "Classic IE Settings" | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ClassicIE.DLL | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\ = "ShareOverlay Class" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\375ECBAC68A0AF245AA27CAE165DEB80\SourceList\Media\2 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\Programmable | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicIE.ClassicIEBHO.1\ = "ClassicIEBHO Class" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDA50A1E-B8CE-49DE-8D17-B034A84AA280}\1.0\HELPDIR\ = "C:\\Program Files\\Classic Shell" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ = "ClassicCopyExt Class" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\375ECBAC68A0AF245AA27CAE165DEB80 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS\ = "0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\VersionIndependentProgID | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Classic Shell\\ClassicExplorer64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDA50A1E-B8CE-49DE-8D17-B034A84AA280}\1.0\0\win64\ = "C:\\Program Files\\Classic Shell\\ClassicIEDLL_64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\ = "ClassicCopyExt Class" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C698A81E-5D02-42B1-9801-5381CA8BBC2F}\ProxyStubClsid32 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Programmable | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\VersionIndependentProgID | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicIE.ClassicIEBHO.1 | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\ = "ShareOverlay Class" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicIE.ClassicIEBHO\CLSID | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ProgID\ = "ClassicExplorer.ExplorerBHO.1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDA50A1E-B8CE-49DE-8D17-B034A84AA280}\1.0\ = "ClassicIE 1.0 Type Library" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\Programmable | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBHO" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID\ = "ClassicExplorer.ClassicCopyExt.1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA801577-E6AD-4BD5-8F71-4BE0154331A4}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Implemented Categories | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\375ECBAC68A0AF245AA27CAE165DEB80\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class" | C:\Windows\System32\MsiExec.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicIE_32.exe | N/A |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicIE_32.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Classic Shell\ClassicStartMenu.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.usercontent.google.com/download?id=1UsGIXS_sMBR9tmgSfo0z2d1t22YHmoxU&export=download&authuser=0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb216f46f8,0x7ffb216f4708,0x7ffb216f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16376455366728883700,16904304252338247204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Win7Theme\ClassicShellSetup_4_3_1.exe
"C:\Users\Admin\Downloads\Win7Theme\ClassicShellSetup_4_3_1.exe"
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\ProgramData\ClassicShellSetup64_4_3_1.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicExplorer32.dll"
C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicIEDLL_32.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicExplorer64.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Classic Shell\ClassicIEDLL_64.dll"
C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
C:\Program Files\Classic Shell\ClassicStartMenu.exe
"C:\Program Files\Classic Shell\ClassicStartMenu.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 50980E4C969808F25BC4C0BD8B77BC27 C
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Program Files\Classic Shell\ClassicShellReadme.rtf" /o ""
C:\Program Files\Classic Shell\ClassicIE_32.exe
"C:\Program Files\Classic Shell\ClassicIE_32.exe"
C:\Program Files\Classic Shell\ClassicIE_32.exe
"C:\Program Files\Classic Shell\ClassicIE_32.exe"
C:\Program Files\Classic Shell\ClassicStartMenu.exe
"C:\Program Files\Classic Shell\ClassicStartMenu.exe" -settings
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| NL | 216.58.214.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 71.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.214.58.216.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 142.251.36.33:443 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e0811105475d528ab174dfdb69f935f3 |
| SHA1 | dd9689f0f70a07b4e6fb29607e42d2d5faf1f516 |
| SHA256 | c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c |
| SHA512 | 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852 |
\??\pipe\LOCAL\crashpad_2792_GQKHEIVPNETBEFFF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 47b2c6613360b818825d076d14c051f7 |
| SHA1 | 7df7304568313a06540f490bf3305cb89bc03e5c |
| SHA256 | 47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac |
| SHA512 | 08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8184efd35bf5af2eb8ec366f974b170f |
| SHA1 | bd66dec7f9870e216bdb42b5f041536b44874d4f |
| SHA256 | 17491b85f7693ceb4d6f55cd53111434625ca4a29294cc1b401c38b3908836fe |
| SHA512 | 11bffbe04f4955dd2e089e18040f8b403653d1dd2910866a605e1646ff57a8f4b04990229d79973bb23bc82373b09388e3804e9a8808c044bc354621f48579c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 263f9555d052691cb330b9c288c2e070 |
| SHA1 | 51f444e709c6efa572aab682082165c30ae1abfe |
| SHA256 | a2b0acd8b224f66ec10daa65b238a5ddeb9bc5be6c52444852c84cd26b82e321 |
| SHA512 | 4f6003e47687d9fc5523be485a7d6cd3d113d71b13d448ae81473faf3164509ff37c1c559ee26d87a81f5d157f9f5c900fc7d1bfe0ac43c40def23e8baefc74b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c6be602e180b6c2e25b34775fc46e1a3 |
| SHA1 | 953c082cc394c2cf27dd03b737962a946b370178 |
| SHA256 | 60db750fda93bb3dda9ee7ba5f8b6707fb520a33dc241b95e6f86c5e843230bc |
| SHA512 | 4cd950a3f463c3de7184b1ed6231549757f04f78a397023a9e8368708ea0ddca91fc79634e031ecc4da0ad41691e29e6e927489fde69ccc7743e98764f1f8429 |
C:\Users\Admin\Downloads\Win7Theme.zip
| MD5 | 294ae9c93e4de26268f68d665e64fd5d |
| SHA1 | 4c0a653069693de08f0590338a3432e60666cc15 |
| SHA256 | 08b6547ec074e63fb9197f48255be0c8f5e9079e95fa189ffb9f6b14a496d64b |
| SHA512 | 86e860fef46a036009c2be2dda0608b7473385008e27231681248abe1bcfa46f167b3391d182a98eb2b74f1d17aa929b1e98093f681197248a02a8eb04428ee0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 80229c16a834267d493dcc80c5cab1e2 |
| SHA1 | 71318dc148c04a76ef860fe2fb26d4205cc6cccf |
| SHA256 | 3a2a29202bab4329032ecbbc2e5d6bed8f78af387880eea9fd7b93afacfa2dc7 |
| SHA512 | 8c33e4e1d93f1a6e4997ddedc68ee2ec2d71b9000cd9297609186f07f56ebb645dfeea5566dff7e4d415d7446debc9f37967b3178a482d99200bc34a62322a34 |
C:\ProgramData\ClassicShellSetup64_4_3_1.msi
| MD5 | 0606a9a7e1157a08c1098718575edd6b |
| SHA1 | 44737e63cf3565d34a6a36fd6365ec92429fb3c7 |
| SHA256 | 347d8e65f200ea8c4eb9752f56b62d14af4370ecf7f13657a806fa1433fbffcf |
| SHA512 | d46c9829ed2b67a37429723af09f46e11d0d7b61cf5b398ca1daa2ef061c5b4de68ec89a95bd8a612ccd87899ff07bd802cc12fc8d1e0e5746ddbbdd7b0ef4ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4c29ee368dd9df9a9fa0c2a81e0880bd |
| SHA1 | 4c645b0b5065adb4441ac3b7bda275c030b47533 |
| SHA256 | 5f0aea65f9bca43c168c4d4926fffc1b6abbbe12686eedf740b8604672fb83a4 |
| SHA512 | 870a02b8adf6fbe6e963bb495c6aa09c2f18e652c88b4f80b6512e523a91f179c807bda6cb4d31bf7b0677238c14582098cd02e7568258c46918f42c065ddad0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0602B4943A2FCB32C8E00E4BC52232F6
| MD5 | 798ca16363b0e6b85bfb16e1d1a6e513 |
| SHA1 | 129fa2b4d5d51eeaf6d80beeef0de15186f3f5b9 |
| SHA256 | 407c39695be114245cffbc8dedc2304ce688cb48cf730b5ae2af54cceb7d524c |
| SHA512 | 6d6bea262537578f8d5d01ea8decf809333e3a78348e2b3839c93f1e1691d5db3549b7b8b1d8df1b989eba312892dfb5103b2b0247c86f404c201cd071344898 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
| MD5 | 01e6c534d2c674de8ec8214121156074 |
| SHA1 | 9dbdcb4fc02b968ebe948e939db9a8a56ee376da |
| SHA256 | 4d97a86e4ccaea2a4bec9019d0bb923304a8c851c286cc866ca38a61d87b3504 |
| SHA512 | 7626d0835476ef7653dbe269a87409097b6c791dda9564834e203ccce00a741d11913c93e90e7acfb1ea7918a01e1fc7715213e6c456acd22e0c99d2e864600f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_0602B4943A2FCB32C8E00E4BC52232F6
| MD5 | 35c39cadc3524c3263fc3cdd4c228eea |
| SHA1 | 0147775826c6a8dc01f3d720c8d6026b3f8232ae |
| SHA256 | 55b7601fa875aab0c83bc4f9894563fd1dacdc680ef15877ade7b7440c585da9 |
| SHA512 | 649be6391f1453ca4c454d7ca085431bdbe86022a6f60fc9acd95e54755bc4c38e3cf71d2a1730b5411e66b40f3648dd4685b0e491171b6bc8f812f05fee1af8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
| MD5 | 1cf7793fa00dbf6c23a664726bc6969c |
| SHA1 | ccc2d1bb2b043c1f9a7b6228f5922bd36373e2aa |
| SHA256 | b3cf4d89d8e0d28e339716b8934e6613a6917b2a9f1bea4aee397fda3262c595 |
| SHA512 | d405dd5a35bf700df2b72e1df0f798c6d99f2e5e634c39dd0d1ad60e644692b67633ef031ebde1bf0dc2f84c3e01eeef43f4dbc979f3825067aa9c85d2af5ba7 |
\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2388535-af59-4dec-aa4f-1cf7549743fa}_OnDiskSnapshotProp
| MD5 | 4612a46bdee73f5c0595fe2355b23863 |
| SHA1 | 08ea7e4bb6c5bb5f794290f02d5e014c8a1088a9 |
| SHA256 | 9a94c80c56d378ef2c74d096ca3b711591c2244b828376f46aed7162674f0d88 |
| SHA512 | e455c1a3fcaf64e2bc96e1c2969b8e4becd5f22180347c11f73195205fb5a033560cd2b56dddd9417f569135359661caf3b5c59ab700477a06d2ecfffa29206a |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | bcb343b5d0ebaaab399dd2b17ac16851 |
| SHA1 | a7e166debe5ac3621a8601191f3630e3591a2f16 |
| SHA256 | e7ad84350993b7bfaa29d9cf6158834b71311e4e0f4eb4d836dad095dc33bd22 |
| SHA512 | bfab2a3f238d8697d417feb696ea85a15dc1889b3e60b31cba8d23d3524d756d32c4204767f34b9cf298eed769e86172cccf01ace83ea4e6ea408a847bbcac8a |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Explorer Settings.lnk
| MD5 | 2624d78641190bc686347c31bad9e52b |
| SHA1 | 29b641271e95770c722b68a9b9c4cf442cbf7c08 |
| SHA256 | 62cf9c22e6899ea57e1e3df6a55ece12f3a3ff9a63a7d75ee2a6cc8b0762635c |
| SHA512 | 85218a13d3a90559090729a32a32f97f2af5fd10f1c55c7ca3f4f0c752326c69f086848996060a1f10459b565c68a66596488e1d829f3ebdabb14048fbb135ff |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Explorer Settings.lnk~RFe58b6c8.TMP
| MD5 | 478d883e0e035faa065c132c4e39498c |
| SHA1 | d00270099b85536989146ad186cfc784c8e292fe |
| SHA256 | c2c32a8fe540c75a97b411f44097f89b889339ee498c5cea366b92538efc8fb2 |
| SHA512 | 510319c271469318203d5ce08452de07a55898ca034168478a633dfd75b01bc4acf82af9d4101831068753ed5b36aaef07510d2c59084fc04f14fb8ba9314bf3 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Start Menu Settings.lnk~RFe58b6e7.TMP
| MD5 | ad2d6d9cf6b7468f9725371e640402b4 |
| SHA1 | e82668c395b601478c6b984f760ca5c1ec4980f3 |
| SHA256 | afb9f254b9e662a74d40bb1c9d29872f15bd7138abf08d9fd8f9a0c6a821a166 |
| SHA512 | 054ea4b6b060b1f0752ca108050b243e79e726e7245ab40c500b7dcef87843385b68e899d63d3a6ee839bf43109c4ea378cc4f664208479a4505a42679ec9f2f |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic Start Menu Settings.lnk
| MD5 | 535dafcd4d9d79b4ede079757a656089 |
| SHA1 | 1427658eff734b6c2d914c351915404b3a0ed395 |
| SHA256 | 0e8f2eb0f564092759200187f0a08f07d8216fcb851bc80d5265cb62e26cfecb |
| SHA512 | 922e11194e050fedefe3233df3c16af5249bc73d9a5da3c83926938d278c35251a71c5cd639959990d9a01a8ab5fdf91b76c6c56b47cd389b588ff317f362f4e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic IE Settings.lnk~RFe58b6e7.TMP
| MD5 | 6e082747659437e78474d4a12e178336 |
| SHA1 | 9b405bb65eef13da3867123464786e384d1e51a6 |
| SHA256 | 4dfd3f56970b0ea108bf827450819c613969a6dd15d79bd13de5070fce593dec |
| SHA512 | 8b9be4a8c23f703c7015968d0518a14749d111ba963dd5fbfaa8af0e6a7dc306445e53218405d85246c5fdf472ee034784f2f7ad7e1ba3baa87fb612bdfed4cf |
C:\Program Files\Classic Shell\ClassicIE_32.exe
| MD5 | a1c24588503cd2c1690ef94bbf341829 |
| SHA1 | 5368795d2a0c0bc404ef2d108a4812979f4544f5 |
| SHA256 | f37f3bd363d1695e0a151c3302fcfb8be770eb107b066d05f10c4fb6c946318f |
| SHA512 | 7c2e079dd59cd3c905db6ef1c41356d38e000c9d1fc7e4867be4b2039ba866871f310c096b29b93d07b71b52b78ac9274ffb77a8257f4a8d7ddf8dd4af8b4b7f |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell\Classic IE Settings.lnk
| MD5 | 92f546353916da986a5b325313f52252 |
| SHA1 | 136b9a897eb78c439b7966050df5b4c699ed83a8 |
| SHA256 | bde767209e3497a15edd2fc668d447be4aec60fa71c99904df12f705035806ed |
| SHA512 | f75e7afbce4d1d9ab34c561f4192511ad7a652c9d40b80c82b99d53ff6b144a35671feafed497ce21ec0dd2ebd3dbf0ab45ad2dd504a98b36ae05ea54c3937a2 |
C:\Program Files\Classic Shell\IE Settings.lnk~RFe58b706.TMP
| MD5 | 8f33b7e9a9c738dea02dcc697b4466ca |
| SHA1 | c7b18247c7d380ddfbd004ac504b303b108fda2d |
| SHA256 | 68c57f47c6dd1ef5a6f61718302b6c8992e4c26877d61a86fe1a84c112185e27 |
| SHA512 | 9f498d8c5e481143e64ecad63c047e7a835273f90200276c94a26a54e64f8b27eec8f5face5779b637a662d8c4ba5d45726563449c9bbb7a13284de6062b5699 |
C:\Program Files\Classic Shell\IE Settings.lnk
| MD5 | c4a3eb86f377ffcb7fe43dba9e0a0668 |
| SHA1 | b59e8d3ba5ebe84c0d3c6e21a8df893fbc909139 |
| SHA256 | b0e7390bfbfbbd68c6ab52e620e6354f22ddaa4d66cf3d33999a486965a14011 |
| SHA512 | 8eb42d5c86f5903d01ab1a88b03547cf46f4cede824e63694f51d8f6f443e6e9ffa8937009a854f01c5a193ecc44633d4627a00d87f736373e13615effb0c7cf |
C:\Program Files\Classic Shell\ClassicStartMenu.exe
| MD5 | 6776a3d1c644bfe33932189b00165caf |
| SHA1 | c109b9b2f344748daff26fcc0b55fa0d2cf8322f |
| SHA256 | a99adf420ef6498e2e665703fcd1dc76bdbaa5a2e1f38d72f7229a9c3cd932e7 |
| SHA512 | 4db70c69be312d8065b2013d0a83b235969c7f38b31a8c54c63f8f6c0a888f139df45eeeb6c245bb7d4dd07f24a18be9507c4a80dee2cf4d274f7bc8cbbf8aa9 |
C:\Program Files\Classic Shell\Start Menu Settings.lnk~RFe58b706.TMP
| MD5 | 2b59d2df60cff9e5b87cbbb9c5d97e0b |
| SHA1 | d35ff86e4732741c824b1ebb55ac882306cb6116 |
| SHA256 | fe9f0b2de3c0a84519e2025f416e98a7903feace9a6d9e57a3680c88f19b01a0 |
| SHA512 | 8e9054621d9d027680999bf7e30a7111d89fa18b5e2914d692df8f2f350a4ab91f953e4e845ce18c5ba1430b6d57ce3f99c22765d40ee156909c7f373865c29a |
C:\Program Files\Classic Shell\Start Menu Settings.lnk
| MD5 | bfcd1b03a72cc8d017f3ddda2e5c0b50 |
| SHA1 | 17eb546f19e60e3b7ef692be963bc5d6928e8a78 |
| SHA256 | dbb96fc6328c5178846cdbc813bea04a9f418ee1f31cf3407304816ba5ef65ba |
| SHA512 | 8740059f761396d66ec716df0de65ae6b2f81fe3c8f55a439f8d3ac249f9b3c0b3c03e51dc042ba939ea79b41ed254f7611b25ad29465f157c7372c6c7a0e5e7 |
C:\Program Files\Classic Shell\Start Screen.lnk
| MD5 | bc5b85e4348c093ad6c0df4bc4724ccb |
| SHA1 | 9a120c43a90bee66a863cf651ec4e4c7ce46209f |
| SHA256 | 6a1bfa5a7d59365f5dac34f4a2fc34e951e9a7e80ec7bf3217b4302d2583211e |
| SHA512 | ed48c2d9190bfacde79876401fd00675db860e197d8478bee7aff2fedbb1fb71d3ee31f3dc59560b11ddf1aed512c440a0160c4621f831c99fccb853d84b6ac5 |
C:\Program Files\Classic Shell\Start Screen.lnk
| MD5 | 2350a9764d413ab8ff7d0b6d5ba547aa |
| SHA1 | 6b5f769a1fe42755c89786b004c12e042e64d714 |
| SHA256 | a6697aa737610d50d6f1d613c2c29fc1b39785fb651a74661db28dc845532013 |
| SHA512 | ded972e3649e645ae59964980dad01132deb3f1c9cee80809338e58f623fb4a7864f7a427b36a1052315345e4ed381b0a87f543365b68a1c9e3b13138290961a |
C:\Program Files\Classic Shell\Start Screen.lnk
| MD5 | 4e9e7deedfbd72927559567e7d102969 |
| SHA1 | 2c57a66669004858855d2578d94efe70279a1804 |
| SHA256 | ac93715355042eab171fb7f75794e923f19d515c70adc22a059cfd5abfc99e58 |
| SHA512 | d6bdd0ba1b00c94bbc4a1ae892b52560382b4145b3bf52e955615b219c627d4f58c19596d7c627335928df90598b8dd63acfecf60b25471a749ea8c09e63c1d6 |
C:\Program Files\Classic Shell\Start Screen.lnk
| MD5 | 9fa09580037cbfb254e125984da9ba6f |
| SHA1 | 1382c0d759d0aaf317df0b403791577ac2022871 |
| SHA256 | 94a222f5469759e821cb64cf715827d54af1eb914c5106f3be10b65d08b7f11f |
| SHA512 | 76c4f216e5d90c191d0c690d3bb7fa2977fc3e8f4e3602d69eac9b28b2f381223caf697051aaef9b12b537ce50493002913ec9d53f33d4b02fcd999332b69ed5 |
C:\Program Files\Classic Shell\ClassicExplorer32.dll
| MD5 | f239f9186bbf10ef438b0b0c5a71d9a9 |
| SHA1 | 6b1b562c59121049bf5c15187de51a507710e5d7 |
| SHA256 | 5cd5193b50cebefb65ddfa227e2806425b35327d6b545145c6e65a946ed43928 |
| SHA512 | 7f63ec4ace5679c6c2775cfdc7c21f77d0481bf779c78b51d2806551b61ad5e39d18e1786bd9a0db968afb2a1279c7543d7067b84b4907a2817d4ffe737f5f94 |
C:\Program Files\Classic Shell\ExplorerL10N.ini
| MD5 | c89e164a7d30247919fae38c7512ad24 |
| SHA1 | f42bc1cdc66e4822dae63f0ae2f640e4b217615a |
| SHA256 | 7974a14e02b91a3bcb1e15fce3aad7d640d2800989cdd1ba3c5a82f847de5b98 |
| SHA512 | eaa448ec09ee02bff711a2101303f80fc608f6d5b9760c3f3c963cc4d36c4f88eb4bde16573955321f0166a171f4f98d3ae5a8aa805c5d972de855491dc98031 |
C:\Program Files\Classic Shell\ClassicIEDLL_32.dll
| MD5 | d82c55ef5c9f4dea2151907d45040b4a |
| SHA1 | 605aaad9c12ab3fd3a44c9b9adbfd9c75196d565 |
| SHA256 | 336f2689d81bc7c2b623c1e1fb67b6d32d4b615dcce94dc9e37ed9e1bf59eac7 |
| SHA512 | f8d7bf2397e73dd718b4553f45c2b28cbb44834992da87832ee71d686c845938b068a2be34af4366ccb5894618d89fc5d911d04cd1e0461f7096243d6c94cfe1 |
C:\Program Files\Classic Shell\ClassicExplorer64.dll
| MD5 | a7bdf136014cc2be258ccac078f437eb |
| SHA1 | ef1108633774f52e406f2a787a2102035db21858 |
| SHA256 | 363809b264b915bd640580f05195a61f308b351555667072239835ec51f4405c |
| SHA512 | c90637f3d5d6892abdef506566b130d6816ce0ba8c9f6506742144b63678b22e80ce7839dcf7b9bcbae53bd4e8c355781b06a9b64cbbd1b901176b1779fb5b8d |
C:\Program Files\Classic Shell\ClassicIEDLL_64.dll
| MD5 | cc19cd33a861f4768e2a747d71ad5f79 |
| SHA1 | 7b39a2468a0928e76ea096f17ea1ef5c6837619f |
| SHA256 | 20280766ade26aefc3c1f9fb69f9c7a9d8d85cedeebf6b8b156adb49f1ee3c0b |
| SHA512 | 78873ad62e3d655b20865146da8a4df7c1cb9730f5a5172309cb4bc8bd1e6f0fd28f9a7b65e14dce1f6ff5bcb75c0d0e50e12961e7c01b005b6e4d8e428067aa |
C:\Windows\SysWOW64\StartMenuHelper32.dll
| MD5 | 5679c87e409ea2271c65daca31581604 |
| SHA1 | d10d16f08dcf33bc50d9a706d0ee94e0f71e7483 |
| SHA256 | e662bbdd855b13de2391d543d8bde824b59b47ea0691147fc0e86ab19444ac19 |
| SHA512 | a26128178e9a39589753680714b5f9de4ba60a0e8674103c63dae0793facf4e0b43fd57b6270fe29501bf1031f80bf4f6d285801f2120096ecab2e15f0a0c4f5 |
C:\Program Files\Classic Shell\StartMenuHelperL10N.ini
| MD5 | 8f13bf2f1f487b6b4b1580322c95b1e9 |
| SHA1 | 7acf79e62409413f83ea6a86b8672cda9a92f81d |
| SHA256 | e082504eb91d7e5ed60f5a6b7866c77349c566d7185f167d24ad022e02e83c2c |
| SHA512 | 49bd5e70912ca70326460b6223a4257e5658a445135e446b49616f903cfb685086bcd606b16a4f17d18849f91d1726fc904237e6663aacf55ea47530347e0bac |
C:\Windows\system32\StartMenuHelper64.dll
| MD5 | bdc5a9ac0c6437ec7c272cb06c6bb5a6 |
| SHA1 | 5df8e23bf820b47a2eb0d3b86e013e86d5362646 |
| SHA256 | c85fd8fc877b9e360766592774f9e1fdf3fb9a74258b52b0d53e1e6723fd0f4f |
| SHA512 | 0fe0741fcb28892d7a9b5443bc8b81916ea1723ac91310943a8f5d5c51421c921c9125488c6f54ad0bc69b9522ad8cc11998644705e6eb7d3c5919a3fee5b32f |
C:\Config.Msi\e58b206.rbs
| MD5 | ae2d4e7cd4e144496aaeecc1494a88a1 |
| SHA1 | bea389bd58fc60d59fb18c9d5aaa481ff42621cb |
| SHA256 | 7ddae75f6cd5a8f75c7abce06f983004e0bbbaa06e0f6399766658516742e8fa |
| SHA512 | cda71f11c3a39b98d0823008120dc0a2be7ffa9f7395e7fbfcc8e3d02e6c248cf2f93bcd8ad087b5f72058f8d74e4bd76b751d44fe23eccd3844e9fed2afd774 |
C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll
| MD5 | 1434e96c86a3b5a9ba9c9a95f1be1584 |
| SHA1 | 04c81a71e96940dddc13a097bef440343c8d197b |
| SHA256 | 3ad92e7759614d08395ebdeec411035c7d68cb2fa7532b70fc564546f9dec4b1 |
| SHA512 | 9e9c37047671c5b67180612771d037d332139ba46c6cac16196e9a863c120d4b45e72a287e6df41759e04a990f9a77a04c1c841bb89fc6b88c69189a197601d4 |
C:\Program Files\Classic Shell\StartMenuL10N.ini
| MD5 | b53021bc0d4329a1567faff97cdb624a |
| SHA1 | 2b2f8d5147011eb1174d9d7268f1838e7d71875f |
| SHA256 | 8b56c1a8881f34ad52e6530becb21be691cb6739472befa06835987b6602d9e3 |
| SHA512 | a262769074ccb5909188f28afd0473be7a0c1dac905424fce6b6e7850003ed0388ce718872010dd64a67b2b488c96e6f69cecb690851fa113776347abcf9beb7 |
memory/1324-340-0x00000000023F0000-0x00000000023F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSID4C0.tmp
| MD5 | c62f1d994bb13e677211bbdba96433f8 |
| SHA1 | 3a00d34df6ec81035234e339194fb49fbe317dbf |
| SHA256 | 3585ccf92c60150cf863e26c0eb2948e206841ca8ff91dac092cf567eef0880b |
| SHA512 | c3269bcc5a639e7b8ebffc6f75313e12b27c8ad83abd99708e2aa7b5adfbb46a9fad1ebee81c2c53b9f84ea0e5ef200611a6db7b9f7165d43af04d853d47bef9 |
C:\Program Files\Classic Shell\ClassicShellReadme.rtf
| MD5 | d00ce44ff320f14ee7b733b3c78ae615 |
| SHA1 | 625daa8a5958360ef2a667839c4324b6101caf7d |
| SHA256 | 95f7362d6f5bd9f2174ca189369ce4d6e25069cdb48670b223399c0523d9d145 |
| SHA512 | 1c97f17e61209523b47b7a5e1c72557c8795fb13fb72d5747510ae0134ba986308c1fb6b9dac9a1d14949c60c6358cea3b6969886726cdc59d21f0c7f923f0a3 |
memory/1420-346-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-347-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-350-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-349-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-348-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-353-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-352-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-351-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-354-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-356-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-355-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-357-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-358-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-359-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
memory/1420-360-0x00007FFAED7B0000-0x00007FFAED7C0000-memory.dmp
memory/1420-361-0x00007FFAED7B0000-0x00007FFAED7C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 790bf35a56f7acb2748ae13bd44b6f01 |
| SHA1 | f4c05d3f6d04e5483a1cb298132355f5c148d7c9 |
| SHA256 | 4ad102053925ba51d00008ce2d9d5418b3a36cae63e42997d2c470a32868f8b3 |
| SHA512 | b3c0719bab0cc3c46dfbfdb43f190023a0e1f43e90a0a1fd21d971564d19eed9c017998a076e279c211c64ffd9edc373da59aed7f71fcc7765b0eb1333962e45 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
| MD5 | bf814c5cabd1b6c6c0cddffcf2f79715 |
| SHA1 | 188cbdf083d5712c38e97cfa5c5eafe08b736b71 |
| SHA256 | 56ca4e4b2aae1b8331b6c06efa218eecbc1a193d37a48a8c6c4c5227cf2d9a0b |
| SHA512 | a36caf3301faaf4537ffe384a21fadc2fd45abdc05ded8fa7b93d828b1746aab26363d40037686e3574d86b8856dc4ec0527c23722dbf2d7ffb446e315199b29 |
memory/1420-401-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-403-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-402-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-404-0x00007FFAF0110000-0x00007FFAF0120000-memory.dmp
memory/1420-405-0x00007FFB30090000-0x00007FFB30285000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 66a530a096e7cfc27d33564603175785 |
| SHA1 | 5263ced21db0fef74ab3c253e394feb87527c650 |
| SHA256 | e7f83ddf62b05aa673875204813b55e308ff490dc347215c5586f54f120f7544 |
| SHA512 | 11fd7867d535401bcea8c9dcdefffd1b5e7009ecdd2a5f37c68f82875eed0819931a74a1739d4db4af07817d43d1abb1d9323e62cdc4273fce9d1846d73538df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0dc120f1-1b90-4652-9806-0be087114b69.tmp
| MD5 | 9be5bac965f21587a48f90a71dc7955a |
| SHA1 | 30c35421dfba8ccf3c9b550d2c4f2a58efd733d4 |
| SHA256 | 786afa05fa63903bef008c41c1f42fd4699aaee78fe162314c0c8e48f77edbdc |
| SHA512 | 42579bbb7e9157cdca61700dbf118bb96150e5bb4892c9d4537e1333e8303d5ebee4743b8d6d3b2d57da9a36a8fd0f73488dd405aeccd0c265468c14a6f1767a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | 41a6ce8903083795c1ae9c9e8f72cebc |
| SHA1 | a32cde6d3ced346e2d1a1467f35e2f25b19a2f32 |
| SHA256 | 4f0c18cb3157c8efeeba42d1b00c45ab35b7bbd0f9a63f2e7a1fa9d54addd5d0 |
| SHA512 | 6429c57587b94463d656e91e69ab95be53b340a402566e3e80ea710d8064cb7522bae7b866c588edac0c106a683ec41cb5b2524a6022445f6de02d69d5307826 |
memory/5944-506-0x00000000014C0000-0x00000000014C1000-memory.dmp
memory/5944-508-0x00000000014C0000-0x00000000014C1000-memory.dmp
memory/3484-511-0x0000000000650000-0x0000000000651000-memory.dmp