Malware Analysis Report

2025-01-18 21:17

Sample ID 240324-cxhahsbb4v
Target https://github.com/Open-Shell/Open-Shell-Menu/releases
Tags
adware persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/Open-Shell/Open-Shell-Menu/releases was found to be: Likely malicious.

Malicious Activity Summary

adware persistence stealer

Downloads MZ/PE file

Registers COM server for autorun

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Installs/modifies Browser Helper Object

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

NTFS ADS

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 02:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 02:27

Reported

2024-03-24 02:32

Platform

win11-20240221-en

Max time kernel

299s

Max time network

301s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Open-Shell/Open-Shell-Menu/releases

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\OpenShellSetup_4_4_191.exe N/A
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32\ = "\"C:\\Program Files\\Open-Shell\\Update.exe\" -ToastActivated" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\System32\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\StartMenuHelper32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\StartMenuHelper64.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Open-Shell\ClassicExplorer32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\DesktopToasts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metallic.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorer64.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Full Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShellReadme.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuHelperL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Update.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuDLL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe596a97.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenu.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShell.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe596aa7.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ExplorerL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\PolicyDefinitions.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe596a88.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorerSettings.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Smoked Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Midnight.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Basic.skin C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e596819.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF1FE691D6E9E77FA3.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e596817.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0E1CB04EA57356F0.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFF07BF8C93EA2A441.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI68E2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e596817.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF8EA9E4A944044F21.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cfb66584abbe87e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cfb665840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cfb66584000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcfb66584000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cfb6658400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\System32\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133557208784843128" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\Media\2 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\CLSID\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR\ = "C:\\Program Files\\Open-Shell" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\CLSID\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\ = "ClassicCopyExt Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\ = "ExplorerBHO Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CLSID C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B} C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\ = "ClassicCopyExt Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.DesktopPackagedApplication\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ = "IExplorerBHO" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID\ = "ClassicExplorer.ClassicCopyExt" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ = "Open-Shell Modern Settings Context Menu" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\ = "ClassicCopyExt Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win64\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\StartMenuHelper.DLL\AppID = "{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\ = "StartMenuExt" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ShellEx\MayChangeDefaultMenu C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\ = "ExplorerBand Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ = "Open-Shell Modern Settings Context Menu" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\ = "ExplorerBand Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\Programmable C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\OpenShellSetup_4_4_191.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 3880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 3880 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4900 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4020 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1528 wrote to memory of 4636 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Open-Shell/Open-Shell-Menu/releases

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ffe15f89758,0x7ffe15f89768,0x7ffe15f89778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1484 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5216 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5792 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:8

C:\Users\Admin\Downloads\OpenShellSetup_4_4_191.exe

"C:\Users\Admin\Downloads\OpenShellSetup_4_4_191.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6024 --field-trial-handle=1848,i,8989223633391662880,15731612366248689943,131072 /prefetch:2

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"

C:\Program Files\Open-Shell\StartMenu.exe

"C:\Program Files\Open-Shell\StartMenu.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
NL 142.251.36.10:443 content-autofill.googleapis.com tcp
NL 142.251.36.10:443 content-autofill.googleapis.com tcp
DE 140.82.121.5:443 api.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 5.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 10.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
DE 140.82.121.5:443 api.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp

Files

\??\pipe\crashpad_1528_CLGNMASPAXINMMPB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 916207bb7f158b24c9a733ff00e88e8c
SHA1 d6c741adab2c4511d95e8c53b1087ebe823311ac
SHA256 8555a8c192f76d627b3efc387c79819da6c4ad6ddeb82827b14af5dab76887d1
SHA512 10f50583ab3ec7015e6f9aaa0ca361f65fc8f6237ed9e9e953dd599aa7bb01ead1e72b714852ddc8a3bf24cd05bc44ee185a77b5eac3579514c4aeaa5c081c3d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 eb3b136920a2c473eea0348d2c4d4d8a
SHA1 0bf9f8bf072023305959aa48f52cf9e7133c9860
SHA256 d1c2ea785b07af72c44f72baab6daa4ff83dbb63758e6b79260e9185cb994b6c
SHA512 d6d1505fb381b46355cb6e2262b16e54a74541839472dbbdfd16877d7c48e254f0add5ef2a11cfee4f7ddf9b081d82d32bc7656ff20e0f8b9f10ae15c8aa0b95

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c3bdc072e174889b7d822fed61d5a478
SHA1 a8f5b00045f0458a97cdf1c85702a00db5d305e1
SHA256 27a38e1afe855f969485877d70aa6aaf330db7a2cb77d4e635dddcf8d6608304
SHA512 dfdcfbb85e70382341cbb0d4ce58b3f858a1c691ae1f25005ef10c0f556f6a108a4b454f6d755f1075cd4e1d057ebfa2752958241dcc1878bf85c5b7300970e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 e3f0fb86210a51af1e743186a3a2a1f1
SHA1 5c0751544b22e37a23ef7db95bbfab4accf126a6
SHA256 c15ba49cf8e46510a95247fbb0210b380897c06f61079126e7f456b3f740fa08
SHA512 3f4f30cf3a1b1e9eb90f21a02f94da7c30383bfac4a812b4e4834a2927b9368a24452c0543cfb1b11a604abe0f6a51cb29e936a66b8fe45483895704557c510e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d58e72a4a4c1dcd7d38a5516c01c3475
SHA1 47427d0515754730995d2a9f8083e124839716a5
SHA256 5138ae48b8d71909f10ec7a913a45a092c99534ef8e6cc32aa50e8a85bd08536
SHA512 8e5c928ebedc39ff3c3ad8abde9d47faaec704ba703c7cec7748fce64b97f2553bd63d1bca255d901227ccd24b99bc1d125359c1c6344c415be02a4979288b96

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2247b598e073f8429c47a89b0e0239f3
SHA1 76052cbc69c2b62b89f9acb52069de1ba932114c
SHA256 368ee80f305b341eb541f4677eada56fdc6a9d7d3822e40e0076510dbdd3f590
SHA512 c9416242565336340f0c4c433c919ec0f22f7c8756b7248bd334b7b5fb6a26e19356e86285bcae4dd9ab1126c100257a933ce53aaecef6898b579ce30df3b9ae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3aab0369e47b1710aee41f51ab116efd
SHA1 ab60dcea91a94c3f7c59c900069428d7c36f2a99
SHA256 30ea48841443b3602ecf0f229cbb54cb588673889a8a1b5b93bc4becba868c9f
SHA512 2ade7fedde5d4c9f110333af7268e6871776cdb4b915ce242355f757000a79d66d0e3cc4ae258e9dbad34c35600b1ccb48bd7af569b6c2ca93bf668ffe5e4503

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583275.TMP

MD5 95e3b8269fea0d88aeaee6a0ea98e5fa
SHA1 e0f5a53ee627c188d6739153f1c25e4da09c5e4c
SHA256 f58e332cb16db36b906584fa49b71e6f37a6a2ff04673e640eb50506bdd4e9b6
SHA512 b3a72533e4855ffe267a61240ea481db27f141f32ad4d41beb9ee08670eb1561a5e11a9ac3548d3be78fcbbd316c7d8c9f83584291c1f7306e47c0c4e10e0d10

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 aa30c7f4e92bb5197792c81e21ae3560
SHA1 b150cc46279d78260c7063518e1d89d944d337a8
SHA256 5ff29a4d4713d442cfbd3308b3ce5fcef24db5ef44b7e0879d40e448a1e6a243
SHA512 45cb47dc6905384f732da24520baf2257f9ecda389807c06b5221325735db955c9d07195a56dd445cb0b1b1bf49c5aa535076f910b9cdc1208f49a6378d2e970

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5a731367fdc09e3bdd9310eb713e0022
SHA1 fdfe63ba1469bc4b42267873ed6a5832e1b307b8
SHA256 ae4fd851f5a576261a06675aa28e3a33dc18299eb83cac61f38017cfe3bfa23f
SHA512 8d7fdee0156e80c24943f2994bd2d84abd5b6bd086713760bec502152799a05ebcafc3a1818a5fb03f71d60ebe803c5a24a1ef4608fcdedd679921d6bb43b060

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 82a26d775f808ef7aa01cbcf7abdfb17
SHA1 9c675f3cef45f2c4f03ecbbb7829833443d7d716
SHA256 5c64de7ab49194023ccd7a91ba03f2f591c76e00b0d61e27edc8267c82d9a7d5
SHA512 c96628fdac9aaf3240c19b19f0abffef862827bfe09563a4cbbd186286308633aa731302f0fd532f4959bc0d8f36576dabdaedaa12894537a6a1f59802114cea

C:\Users\Admin\Downloads\OpenShellSetup_4_4_191.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\Downloads\OpenShellSetup_4_4_191.exe

MD5 e0484fd1e79a0227a5923cdc95b511ba
SHA1 bea0cb5c42adbde14e8cf50b64982e1877c7855d
SHA256 9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
SHA512 80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431

C:\ProgramData\OpenShellSetup64_4_4_191.msi

MD5 cc25bc2f1b5dec7e9e7ab3289ed92cc7
SHA1 449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2
SHA256 25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313
SHA512 e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fb3c0dcff979807cc5b0913a422fc7d3
SHA1 ad7c6af1922bc8e0ebc1b32c836a7b2162d055a9
SHA256 907fa973e11b41699e70f5eb4476c531f1dfeddd49f6e813c96f297560c1096b
SHA512 0b83d1e5e4f7ea5ea9091e2165d9a7fcb5ce045c7877965376e1dc130276f42e9d463affddd56fc0bc0320c5bb4c9094d137de547536ab2e312c980e318b6fcc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 4c2ee97d8c127ab28d58bcb97957dc7c
SHA1 ffd3bfbaf4c23448a72f0d4cc56075528bc979cb
SHA256 f09ef53f5883cd021982c445938a9f978777f1096b0e7b622df12de3aea88909
SHA512 bfac5a1b38e98d321bfc2d719837b82c4630d41e4c3f7bec5a5d570705388a9d78ba38cd0e0a0f4a04b660f3284cb2beb496b5a2d19a9928ef5658f86e1c406e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe596a49.TMP

MD5 a0dc763d1c7139c9286ee97e5b902812
SHA1 3902a9c032570d1da05dc8a06908c6f0fde130c3
SHA256 36a42bdff7ec0994bd2556da4d9337b19e332703c9df7e737a5bac0061e8dd9b
SHA512 0aee867c807acaf6eca742c882dbdd9ab91aca164afc7c3dae485b9fb538268332485670e8ba8292f84d2d5873f9f1ffcc647c4bc4479b5e7da05666114cd263

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 954cceb29d263262709f544c4f1c1046
SHA1 071ef7f5601d2281b38c36f5285d7461dd4dc669
SHA256 55cc8f05a91dcf9c20aed294743e62912ace34e6d1d0367e8726ac24940e1736
SHA512 c5dd568fffe158152e4084293c885aa3e5db43bc3faafa097bf0d543e93f985cb1a531cc66aaf7c12477c028a56d99173c13e1a1ec82cc37ed40700672b3b426

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 02e57b36866336f944c0492163badf6b
SHA1 d9fb0a0000a0ae9f49025d5a38672e03d33b3f05
SHA256 aac80b27630a88a5438eec268d118975cf055cb1a6a0336e08218ef491c2fe1e
SHA512 02c6994f427d03a99a0c5f8ccef3cffe53ffa51ab10ba0c5cd9b449be7b7b64cf17dc2b6e5e9a3a34b4f69746ade798dde1618981c1e67fe0245501bb291f99a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe596a68.TMP

MD5 c16d3ba81655ba1fb5e407e2dba9f27e
SHA1 dec19d693cf70b9a077f3cda9c8db33d1a3803b4
SHA256 08bbb53c7416cbb4b8a4386fb7b23d733143cc927cadc669a699f0395520c28f
SHA512 da2411ba83dbe9a2657b4094686717cbe4edf176087f038ff2982dac33ce0ae87d536241eca2b84abcfbe1ad63aa418dfd44b77a453d0c11bf062c29329c1675

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

MD5 b21ded55748326c34020c1050675c42c
SHA1 1de8fadaa4e50c004359ebf4cb2380482043428f
SHA256 3f75ccbedf66156e893d021b239bf6e8b77df3041d8467563d7d606d64874591
SHA512 3237fc3e3fa48e3773d3bb3a72ace4264134337fa4fdc19ea8026ea0392652069a9edc12f647b008470951a842835cfa2a45974f22514a5f5031113dd81b5120

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe596a78.TMP

MD5 177dd78e81a311410299c807642d69c6
SHA1 efbb36fff5952b07e99c3a264d9160220177ba9f
SHA256 02b9755a93101d71f2cc96101acb612fb418569904950170cce42d387f42e508
SHA512 44a085e5e7327cd7b9577aeaae0f8b2e7303bd557c09cca4c9cd3a7fe004a4f7cf939013549e618e5d636ab127e3517643c93078d1df3550cf160c75663f1d5d

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

MD5 2f75cfb9208f24d058103b59ac0fdf7d
SHA1 9a592ccf774cb21a7eaf60f5a8a060dc66ebd822
SHA256 4bed8909568e729c967ad3d4d4c7d0790cf9e635a997e252c259dc786c1d148b
SHA512 99155a6bcb6f87eee6688e126b6673d22222362e5cf75bdd1d45b4e305ba3ba8a9e6a5cc9cb9a45b02767c20f7441b1537a3229574064772b01c3e8b89a769e7

C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe596a88.TMP

MD5 4b8f401ee9a38402099ef674be1bdcfd
SHA1 395757daaaad33e11e5612fcf41a171c33baac7a
SHA256 3374ee8500b9ed9f69c42c05f6b093d1f630048df8a5918a23afde023134e486
SHA512 e52e4a12a2fdf8a982837f1268afc033ad017ecaa36de90b641497d21c15351e9c5179d1be877ede858eaf2bcb7d89300405d122fe92cbe9f2affc73e45a7042

C:\Program Files\Open-Shell\StartMenu.exe

MD5 9aca92d31344210995d18ac75f7df752
SHA1 fec9f414f3c399f8384ad6a32d0b60adde85d8d9
SHA256 df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf
SHA512 ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

C:\Program Files\Open-Shell\Start Menu Settings.lnk

MD5 3e86b6eddbc5931beb06505cd1647bdc
SHA1 ca7b5389ac2838511bf1474aafd2b67df7f10e68
SHA256 58cfb573720db56045fefb64e4777fee9622b82fef1c7dc2e4e8ce0b508d5d5c
SHA512 e9e2bfceb2796e38db93693f5608bbb9156e3670e473e76159fbd2eb68e0a350bfba3f784f2283ff6e11412047b2e077b92d23414b99f278fb018d56747237d9

C:\Program Files\Open-Shell\Start Screen.lnk~RFe596a97.TMP

MD5 5ee14bec200cb222ac534bf98bdfc107
SHA1 9d24dad47baa4276dd362e51a5e92960d3afc7f6
SHA256 76e3c0ee6cc32240f4d149bc52ec1c846ab84f01b9a06661630d37a34ca952ff
SHA512 8bb20cb6c9bba93e6be6168f782123af2a73c28aa1edb01bee84db9c453d49cac58a4b79be85f77196d9cb25855657fbe6be0d2146144a3bf32ab399999c785a

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 ce17a83c6aa1abf8903eced4c395260e
SHA1 1323d30d6364624fc27297dc2e0ce06bd7b80c99
SHA256 eda0f3c84b5fb93a30b5adc7210740d93bae5d3f2547f9b660e8a60414b045c9
SHA512 9041475b17067bff7cd303acec3fc240434f1c44a3166d084fabc6c2f7be6821408f91668f07aeb60d441af52f65f9a10ec8f4d3ff05f0329cd0f22810b1d7c1

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 2adba2177aab32f90ec043601419e4bd
SHA1 a4e3359ae5bb916eacb4cb2895e957e086fcd252
SHA256 d8dc82f9faf9ad6953f99893dcf0101d9e2ad301a25e949670015c31b4caf30b
SHA512 5c3e47e30174dc57671368dd2e3edc623dc9fb9a993746ca3e53f349d40e5e404b5e47ba985c17526f8d5e1f504af3c9b66e524e6ffb2319edead952489d14de

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 4315d7817eba432e138340d63a4ed1f1
SHA1 16f30b26137c74d248f2e4e05ac6517cf2fb1ad0
SHA256 4ff942d10ca0fa17e08382ed03567a9eb9a8625148c6100192afa10bf5d48e27
SHA512 a599641ef9b59374f9493387c7d07e30015e96153658f497a8097d6a1ee363a7b0dc00ace6a8b213e50ab85b714276e42589fad8a90b083f2322480ad687b46f

C:\Program Files\Open-Shell\ClassicExplorer32.dll

MD5 a805193aed76942c667a798f9dd721fc
SHA1 3d2f702b16cb22d5918f6d51585a871fb3b3f900
SHA256 97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89
SHA512 0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

C:\Program Files\Open-Shell\ExplorerL10N.ini

MD5 6ed13b9c1719b252e735ba7e33280e67
SHA1 f3753deab4d99dbee4821a8a70fe6e978e1a45f6
SHA256 b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab
SHA512 f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

C:\Program Files\Open-Shell\ClassicExplorer64.dll

MD5 950ff69adc1b8eec1bd8d502615b0ba6
SHA1 edb3916b7ada6aa0e765c6f70c39e182b8d45dfd
SHA256 9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e
SHA512 f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

C:\Windows\SysWOW64\StartMenuHelper32.dll

MD5 b7c7f2bf76b2220839af735e2b58fefc
SHA1 16631df5f62096b039fc1996066805721b622407
SHA256 a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875
SHA512 6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

MD5 29221f620ea6b5893add15dd6c307684
SHA1 97c31bb9585a0896e1fcea8efa3f05ff16823da2
SHA256 53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84
SHA512 b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

C:\Windows\System32\StartMenuHelper64.dll

MD5 22c9a786f3ff34275c80876b8ac5cc10
SHA1 beb6f4f28b98910b2031c37d7cec385543045614
SHA256 b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca
SHA512 92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

C:\Windows\Installer\e596819.msi

MD5 3840df5ab79a23c7c2c89d7fba83b567
SHA1 8865a0c7d3f65fd03d73869a7d32bd27f450b132
SHA256 1444e13445bd14147828c35ca4ec71ac920a0035bcf280ea00d393d38b480eb1
SHA512 d115ded8eebc13cb1bb11e25ad36cc1c94a1fc2e94c9ee68614017997ce332732feafcacb99f17fcee81121906d1d9396b272b1e4ed6e202e61a68432f88388b

C:\Config.Msi\e596818.rbs

MD5 7d72548b610325a95103e1702c8eebc7
SHA1 343280aa5e3c318f3edad11dbde58b530af6a1df
SHA256 af301f0274ca062b85ab9ff0e19bb7c338364a3fb2c5e9428fe7138638f2b356
SHA512 92f2a9fbff283fbeb36ef501a22c0e155d497d8ce45db477c5390cf9d652c120d87aed4cfe842ec467d4fed9cd6f85689312706a35b0f7b8f7467631a3393d52

C:\Program Files\Open-Shell\StartMenuDLL.dll

MD5 5a3b9b52d7072ce201f6f2a625262519
SHA1 74cacac59b7d8c0e0712b6a9a595bb736f7e8d85
SHA256 b6aeaaac41217cd1cce01efe05b721754ec3daa35fe36d2d1dbab6b99274d6bf
SHA512 7c38744f920ee0ae10297865ce3727638129218628c876d0ffc3743ee7fd71a2d9cf3430aa9cd16d4aa7ad34f9d1da8d6a07c2396b127cc5e62f42b16bd898bf

C:\Program Files\Open-Shell\StartMenuL10N.ini

MD5 673bb428b6d3fab8cba07890cad09d0e
SHA1 45039820289bdb485bb761e9b267f6de9e18a26c
SHA256 ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33
SHA512 2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

C:\Program Files\Open-Shell\StartMenuDLL.dll

MD5 e29ab21b4d9266502677b9837ad23346
SHA1 939e7bb40623f04dd3d75f4685a543437512771a
SHA256 808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185
SHA512 7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

\??\Volume{8465b6cf-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{24ec8b74-b197-4c13-ab99-9fc4fd74f0da}_OnDiskSnapshotProp

MD5 a4b2dcb6964d25d3a2808315cc15388c
SHA1 e5cc2434e503d40a167c83ce9e70d2b7175c6ad1
SHA256 8c9e6028490b2cf1fce30e25e7b770155cf2d1f470a1504c2c16e04bf2ee2003
SHA512 302ca630d879b67ca007161a65f43f6734f64c675f38e92af8cd51da33c8e0fc9d8caa18bfff47a20110ae84cf4841010fb4a9258aaeed4f2f6a9d3346872d3c

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 c3107d6504fcbccb6a5fee87574f4cbb
SHA1 595c5d64dbca04c12cf99f3e2ffd49167e4eecbe
SHA256 34e76008f523c863940cef9450e7630d46af48aaef4bbd973054545ec071b5ed
SHA512 ded134e2998d58facedbd625dfeabaaefebbd68752c52c415a320a82dc38246505c0802fd0aef7385f8e4bacdaf6cec7e4a5daf548925b3926300d9afb3c181b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f3c27da145484711e58886bdc7aec762
SHA1 eee6d0c2fc8df12e5ae1ce591487a7119f25b9a3
SHA256 6c0e0ba088591ad7df27f45a89c8b2b6705413471014c2d13873dde5d5261989
SHA512 cb32f496a778b6e5d8719eaa8d1457e8983ba789adbb7a779458af2c9290e6ac216052cd25e215ac5d8642f95fdf93c5cf7f85b6d024d73678ab48567a72912f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4740adb3aa2bc66d82daedb308732d33
SHA1 9528121a4f1d8d48a28cda29f77d7da4a392c051
SHA256 1db5d93f6a4f6ea075e15a9e8aa89fc9e5aeeedf5f52e62a01a71382e318b71a
SHA512 05436013f3b84a256db0f943446e0f39faf50e925c72f97ca6de66bbfa6ade219837093f7fc26335e281fb7a50243530c190f1eae2976847d9c7539b46eaa5a6