Malware Analysis Report

2025-01-18 22:00

Sample ID 240622-j6p52swcrk
Target OpenShellSetup_4_4_191.exe
SHA256 9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
Tags
adware persistence privilege_escalation stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

Threat Level: Shows suspicious behavior

The file OpenShellSetup_4_4_191.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence privilege_escalation stealer

Loads dropped DLL

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 08:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 08:17

Reported

2024-06-22 08:56

Platform

win10v2004-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\System32\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\StartMenuHelper32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\StartMenuHelper64.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Open-Shell\ExplorerL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\PolicyDefinitions.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe57a8f2.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorer32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorer64.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Full Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShellReadme.rtf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Basic.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuHelperL10N.ini C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\DesktopToasts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metallic.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Midnight.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe57a8d3.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShell.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Update.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuDLL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe57a901.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorerSettings.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Smoked Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenu.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a0d6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57a0d4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA299.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a0d4.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\System32\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\ = "StartMenuExt" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID\ = "ClassicExplorer.ClassicCopyExt" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\ = "ShareOverlay Class" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ = "ShareOverlay Class" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ = "IClassicCopyExt" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\CurVer\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\ = "StartMenuExt" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer32.dll" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Programmable C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS\ = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\ = "ExplorerBand Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs" C:\Program Files\Open-Shell\StartMenu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ClassicExplorer.DLL C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\ = "ExplorerBHO Class" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32\ = "\"C:\\Program Files\\Open-Shell\\Update.exe\" -ToastActivated" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D} C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\StartMenuHelper.DLL\AppID = "{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\CurVer\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\ = "ExplorerBand Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.ImmersiveApplication\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\System32\MsiExec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe C:\Windows\SysWOW64\msiexec.exe
PID 4980 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe C:\Windows\SysWOW64\msiexec.exe
PID 4980 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe C:\Windows\SysWOW64\msiexec.exe
PID 2440 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2440 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2440 wrote to memory of 3296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2440 wrote to memory of 3296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2440 wrote to memory of 3296 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2440 wrote to memory of 2444 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2440 wrote to memory of 2444 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2440 wrote to memory of 4476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2440 wrote to memory of 4476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2440 wrote to memory of 4476 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2440 wrote to memory of 224 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2440 wrote to memory of 224 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2440 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Open-Shell\StartMenu.exe
PID 2440 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Open-Shell\StartMenu.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe

"C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"

C:\Program Files\Open-Shell\StartMenu.exe

"C:\Program Files\Open-Shell\StartMenu.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39be055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.github.com udp

Files

C:\ProgramData\OpenShellSetup64_4_4_191.msi

MD5 cc25bc2f1b5dec7e9e7ab3289ed92cc7
SHA1 449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2
SHA256 25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313
SHA512 e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cfb5ed2b-e58d-4d90-980a-c5342b0aa2c8}_OnDiskSnapshotProp

MD5 538e60feecf9ead176ff5139a18f4b42
SHA1 76a9919305d280125cc78e49e165342d8c20abce
SHA256 fd2ea922b55f6298d2d32778e689eb08c9c1222194df146f0124830ad760fb2e
SHA512 d279803f56863c541113bdf2ece76f28f4954780cfc7aeca68ebdd78632ffe1f17f86498760eca605ce3d41659879fd1dfdc29cb51c453d44f7421830077f2aa

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 ddb150266ef6f53f326f67ea2492efde
SHA1 45231114a69f9a9f432a7601dd923f6925ab638d
SHA256 0e7b6ee629f7e13c07d3ccaa5ced749e7297c87410a9fc67d496ac465e217319
SHA512 9c67650ff11a270c2030742dbd7fb0f909b421c589bbcfb027f05ad2601d86db49a3e1af396b3b18466089e02bd7059daa3f408a79c6abceda60300dd39f2a6e

memory/552-13-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-12-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-11-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-14-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-15-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-16-0x00007FFED70B0000-0x00007FFED70C0000-memory.dmp

memory/552-17-0x00007FFED70B0000-0x00007FFED70C0000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe57a8a4.TMP

MD5 42ac0dc6e8e279d10957a94bafd1c196
SHA1 a977896d71f9239fb47ea4c9824c1e6d2413f9a4
SHA256 08839ae53a8517e730e0d41079246e1c10cf6cb9acb4dd5182224096c6347e12
SHA512 c48b9040809d44b527e2705c3d91bde47296a1dbe1834d554e53a527eede4c3c665256d273387dc91fb7bb98aa75368e9dd6f15354ddb5d37b0de3ba704b76ad

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 d09e76d2b4e14ceabad1ff02cc88be50
SHA1 eccd468cae7646148c9828a43f32de577fadc7b2
SHA256 7d0874c4874bac382f7f14a3ede9d2971c976e862a4a1e001935f211b7235715
SHA512 6505d772bd0f505090185353361b56e0bbbc574d32b9fd3c5d94d99a72402d6d167c6215475bf893d81067dbe715cb0adfe1b5b9ff79e2ca62ac8fffbc2a4fa0

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 1c29915c07d7afc441f6ba0a4d3b010f
SHA1 7fffd6eeed80dd8e08464da2dd5849f0562a9100
SHA256 623a15511d94d5742bafa8cc2d603708baffd62936900aed6c4e90fb6c1db222
SHA512 f70d338bfbff3ed9bc9c73ea6fd40ed0741a377c88c9929f8d737a90987e192666fea53e4c9d1504c0132278cc7a73457de2b4d4c5adaa69a1ba55534c1ba093

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

MD5 cc4f6a937a9d5380c10b2c36dbb01d98
SHA1 8fed81ebdc41d160bc0f4c3ad35b3932120a05be
SHA256 74351bf92a9f3402b759a8cee60b8f7d8a1391bc317ad7ea18791b03e852e43d
SHA512 9952c5e07cf5ba2e5bb5d0b7bf5cb3c9076b1ac2488711ed5b6da4cdb53dc8487fe85d35cc1f9d6b44cef162d8a4d9a54a64ce9a9c659b29d3e22ab3c05bdb8c

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe57a8b3.TMP

MD5 8b33f0209471f7d5ac2afcb05531587e
SHA1 2da411c566903545102d0c01dfa991ae3b669def
SHA256 92502a01974bab8864bec1923fe8f0ae95f33380edfafe1e887a3a94ab660dcd
SHA512 c42abc0d62826e7068e4169101eb5b6c953ad159f551a35e1f8f4b74556e97cc2ad21f3582a862db464ef140b689cf82284c13aeff6c7b11ba1e7779bb8cae27

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe57a8c3.TMP

MD5 66d128ad92dfd679ce66e9ed461a27c9
SHA1 7c55e88fef0b30f7b9e224ff345084d2de9d2534
SHA256 bd649b266c1a75995756326b9cbd9a08cdb20083974438c6416d74e3395fc212
SHA512 bc1ced0eb1beb681870d372ba09cb5e1bb89ace525cbe9b0fda6e94446269bb73fe415104d5b74f121520075774791a95cf6242c9c4b5353f7a2a85c45be79c5

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

MD5 f9395e034999ead2b2f5df0e6233c806
SHA1 90e805d06d39283e4f0e14e67294e45708165e0f
SHA256 125a2a2e0a4df6d7d03d902d4602ac77c7cdc42c6c45f79ffe085239241c2697
SHA512 5a8becbeb03ed862dc2f2171d5c2ffe526effd7ffea0133d105bc4374af7b2813492c03ed906d811f546f7c1e662b729e0f6253a121190d19214d663a9b9038d

C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe57a8d3.TMP

MD5 dd139b133ca8454ddaf662560796f9b1
SHA1 98a80d9807f521b490e310b46bc496decbefa357
SHA256 6c9f615c8824035785240a77485661fda6decd7867090f1d9c5ea1c66455fbde
SHA512 daadfe2cc83d71ba78a4ade8a252d6df3d09814cc3ac06ec07d0a762b8d21c3ada064402ba46a1a222d5af22cc28dd5cf771e649db6b0c5548b564541e898e63

C:\Program Files\Open-Shell\StartMenu.exe

MD5 9aca92d31344210995d18ac75f7df752
SHA1 fec9f414f3c399f8384ad6a32d0b60adde85d8d9
SHA256 df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf
SHA512 ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

C:\Program Files\Open-Shell\Start Menu Settings.lnk

MD5 0cf6f6c6859741fd110c4b2ae37159e2
SHA1 dacb271fa96c3fa797d8856a7a9cc210719f986c
SHA256 579fda59d3ba1f3a1a088f2ee901a05d428b42a1133c7b3efedbabcc62bd3fd4
SHA512 8dbe198f7ab05814a4540a81d9f180270f1197889880290eb3778242c61be9e128fed187803e91ac60d923a6790bf0ea32cf166a048f1dc802ae4e1f90a2e4dd

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 e6c97ef321f8bfa63758faad3ff90034
SHA1 424dddad4af29303a46da27cc19190951563ede9
SHA256 635fd14b842e83f97f7c73faff77c19678b22dcee7819167c191f527da1ca409
SHA512 67d85cd5b8cf18de49f1b9be9a7039b2b6e5360c6803e53499bac575b95a3f474d82780e9b5671455c87ce2c15c10009c022a1be0f5eb1c03478126a35c44416

C:\Program Files\Open-Shell\Start Screen.lnk~RFe57a8f2.TMP

MD5 b56bdf406434fd89a56c078cca7a1c93
SHA1 21ea549178353096ece5a78c3538d856154a5051
SHA256 8d59f640fcdc2c238b9687f6c268e249c495de3c01cc78f77c7ff6bde3b5d18f
SHA512 13ed098c0e324eee68d2becb01cc56b7fe2fabae8e342d51a21ac4f6f757f31bb1a995b15976fbe08051fb5e196e0b1ff6359fb8eb8a626e6b037f0d04bad6a2

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 a184bc88552d2c319f222baadc07856c
SHA1 aa13336369fc4a3f85c91c8bded594348b814ecb
SHA256 149a98a7d10386be3bc3283e6c4c85c04ac19e15b953f9cbc1231af6a62b616d
SHA512 6901795cfea72ade1477f8373a424057dd7ac9e85d02154e63148085b28d5a08bfc5f3dd8a8f2887252b9bcd7254c794a2ccb6b5e3c1f4dd8d00e8ba9cc697c9

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 45703b85c6cd2628bcbe503c14c4ce66
SHA1 90e18f4775d78575ca83e3cefd2732ee0bb237e1
SHA256 b7e9df0de40e12c4d6c8eea7dec15123a06398cf8f04f00f343fa51c77ac1b21
SHA512 21cee1b01086cc5639f95d3200f8fe43cf8bde1e1c76d25081d8984e7f7c422215cc83d5eabfe3c24bd064a566a17bf7ab1cd0bc4b988b206b1a071cab18c91e

C:\Program Files\Open-Shell\ClassicExplorer32.dll

MD5 a805193aed76942c667a798f9dd721fc
SHA1 3d2f702b16cb22d5918f6d51585a871fb3b3f900
SHA256 97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89
SHA512 0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

C:\Program Files\Open-Shell\ExplorerL10N.ini

MD5 6ed13b9c1719b252e735ba7e33280e67
SHA1 f3753deab4d99dbee4821a8a70fe6e978e1a45f6
SHA256 b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab
SHA512 f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

C:\Program Files\Open-Shell\ClassicExplorer64.dll

MD5 950ff69adc1b8eec1bd8d502615b0ba6
SHA1 edb3916b7ada6aa0e765c6f70c39e182b8d45dfd
SHA256 9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e
SHA512 f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

C:\Windows\SysWOW64\StartMenuHelper32.dll

MD5 b7c7f2bf76b2220839af735e2b58fefc
SHA1 16631df5f62096b039fc1996066805721b622407
SHA256 a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875
SHA512 6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

MD5 29221f620ea6b5893add15dd6c307684
SHA1 97c31bb9585a0896e1fcea8efa3f05ff16823da2
SHA256 53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84
SHA512 b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

C:\Windows\system32\StartMenuHelper64.dll

MD5 22c9a786f3ff34275c80876b8ac5cc10
SHA1 beb6f4f28b98910b2031c37d7cec385543045614
SHA256 b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca
SHA512 92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

C:\Config.Msi\e57a0d5.rbs

MD5 b5b61395268b31516c65ae4890bc8f20
SHA1 7bd3c69a72d01170a3a072e1186dc9cdef6067fa
SHA256 ab028e4c881fec14a16371d5d1d53a47e4d1c14c6e584f168e8fcf79f87cdaa0
SHA512 40add599a4f3374ad5490869e45ba3df2b846a9e37e832fc0a859843a60fc5c32c4ebd3ba7df2f01738ed94116aa580109b1b5aa8650e9d5019ecfa9ebee1cad

C:\Program Files\Open-Shell\StartMenuDLL.dll

MD5 e29ab21b4d9266502677b9837ad23346
SHA1 939e7bb40623f04dd3d75f4685a543437512771a
SHA256 808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185
SHA512 7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

C:\Program Files\Open-Shell\StartMenuL10N.ini

MD5 673bb428b6d3fab8cba07890cad09d0e
SHA1 45039820289bdb485bb761e9b267f6de9e18a26c
SHA256 ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33
SHA512 2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

memory/552-210-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-209-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-208-0x00007FFED9370000-0x00007FFED9380000-memory.dmp

memory/552-207-0x00007FFED9370000-0x00007FFED9380000-memory.dmp