Malware Analysis Report

2025-01-22 08:59

Sample ID 241027-n3zbrsxcna
Target OpenShellSetup_4_4_191.exe
SHA256 9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
Tags
adware discovery persistence privilege_escalation stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

Threat Level: Shows suspicious behavior

The file OpenShellSetup_4_4_191.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence privilege_escalation stealer

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Event Triggered Execution: Component Object Model Hijacking

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 11:55

Reported

2024-10-27 11:57

Platform

win11-20241007-en

Max time kernel

81s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\System32\MsiExec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\StartMenuHelper32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\StartMenuHelper64.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Open-Shell\Skins\Metallic.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShellReadme.rtf C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorer32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorerSettings.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\DesktopToasts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuL10N.ini C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Full Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Basic.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Midnight.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\PolicyDefinitions.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorer64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuHelperL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Update.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuDLL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe581f5a.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShell.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Smoked Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe581f7a.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ExplorerL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenu.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\~DF76FDB6AE55ACB9FA.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFFB864281D8A0A2A8.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFEFFF8E7BB608E561.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D47.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e581c8e.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2B3485510EF485C2.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File created C:\Windows\Installer\e581c8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e581c8c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004c79797f2efc73ee0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004c79797f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004c79797f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4c79797f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004c79797f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\syswow64\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\StartMenu = "OpenShell" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ClassicExplorer.DLL C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Implemented Categories C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.ImmersiveApplication\ShellEx\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR\ = "C:\\Program Files\\Open-Shell" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\CurVer\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID\ = "ClassicExplorer.ClassicCopyExt" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F} C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ = "Classic Explorer Bar" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\Net\1 = "C:\\ProgramData\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\OpenShell C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\CurVer\ = "ClassicExplorer.ExplorerBand.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\ = "ExplorerBand Class" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\TreatAs\ = "{D3214FBB-3CA1-406a-B3E8-3EB7C393A15E}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ = "IClassicCopyExt" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBand" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\ShellEx\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\Programmable C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer\ = "ClassicExplorer.ShareOverlay.1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\CurVer\ = "ClassicExplorer.ClassicCopyExt.1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\MsiExec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe C:\Windows\SysWOW64\msiexec.exe
PID 3384 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe C:\Windows\SysWOW64\msiexec.exe
PID 3384 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe C:\Windows\SysWOW64\msiexec.exe
PID 4724 wrote to memory of 440 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4724 wrote to memory of 440 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4724 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4724 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4724 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4724 wrote to memory of 1936 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4724 wrote to memory of 1936 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4724 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4724 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4724 wrote to memory of 2152 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4724 wrote to memory of 3764 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4724 wrote to memory of 3764 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4724 wrote to memory of 4608 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Open-Shell\StartMenu.exe
PID 4724 wrote to memory of 4608 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Open-Shell\StartMenu.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe

"C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"

C:\Program Files\Open-Shell\StartMenu.exe

"C:\Program Files\Open-Shell\StartMenu.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a20055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp

Files

C:\ProgramData\OpenShellSetup64_4_4_191.msi

MD5 cc25bc2f1b5dec7e9e7ab3289ed92cc7
SHA1 449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2
SHA256 25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313
SHA512 e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe581f3b.TMP

MD5 8e8ca831ce119ad9c4ef4627cd2719bb
SHA1 8f914f8c36b25c1677b9d0729da360d66b9397ad
SHA256 acf79bc391261bcc40512d3ebdf847af7562f6854747254ec376b7e3797790ba
SHA512 152c7392f1d21d96a93ed15e612f53a40fd92cd43906e01bc04bedbedd209801db5445606b32c6e26c864e5122bd4378ee220c425fc07776627e8c9c71cc1d98

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 c1f13f9e6569b81cb400143655a4999e
SHA1 26a4842c61b232d6bd7209c9c79238fdb4e539e1
SHA256 9dc98e629e88937dbd4ff9b7ccfc3802e89b93ab0b097922b85b616d3d9f4e49
SHA512 c1bec610fe6976a3788d9273d0cf7eee745a38b8d38904ea662a8fca9ca65f1da1f2780622739bf4847852512aee97309113fabaf869b4ca3317343ecbcb6748

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 2675bb83ba6428c181abd8ac2b7b3db1
SHA1 76d4fff3a8c3e6db87ba95488e0ecd811076ce89
SHA256 4575f2887718bf14543ea60e381ac3540a82ea6008aac7270a0d19d3dd17c2b9
SHA512 c5775aa28e29258f13a1eeec413ca6f5d90001219dccf57e077993f1a79842932d8ba9d569b13b9b7d2615e04296977a972d2e3fc2587fa7414c1e5cb496eac8

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe581f4b.TMP

MD5 3c4e6e759c1f37d6ed985993ed4d28cb
SHA1 3cb7694cd37ad945a16d2f7c4bf593bd4f9c05a7
SHA256 f6026e8b531865291b2d7d7305f8398f5c02f7258fa4d602951a82f013780ecf
SHA512 949c9d796c4ef6cb2ebf31e668e776dce1337144095bce2846e21a7cbc8de95687a2c51d775c61af15703f9171b09656767338fe21e8165da63bde7d6b807483

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\~lassic Explorer Settings.tmp

MD5 49ae0ccc9849f6107e1f80e556d86717
SHA1 26994eab1d8bba0d498d5efff9ad2e55fe349a94
SHA256 dccdcdceb441adda11aef293263183ad5f583a6443d85d784f9cd16542aede3f
SHA512 c7eb8e5dcb38be8b496ffd01c3207e2795da115792d70e952b85bb909d0c410a77a5050520e6d463d1b013c95c67c4d3cdcf4b79f47412247ffbf24d97649526

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

MD5 a8f5895c9a864bbd5054639b1482e859
SHA1 335ecfe46c5ec0533cb85001772fe944dd3dcaa6
SHA256 4cc3b170d2a09ee6858cde57af363fa19bae51fbdd227efe6825338864cb2fd1
SHA512 9918fce53ed380443df1a026391484e32b292e3622c7110033368e1fcdc942a3eea01c2cb4245ea700b2c00d07d718231b653bbcd40a9d41e3150605af3e8349

C:\Program Files\Open-Shell\StartMenu.exe

MD5 9aca92d31344210995d18ac75f7df752
SHA1 fec9f414f3c399f8384ad6a32d0b60adde85d8d9
SHA256 df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf
SHA512 ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe581f4b.TMP

MD5 cdff2998a1a4c1fe6d5d26ea409a73ce
SHA1 905859e161a17e692fc6008ded96047e3b9ef52d
SHA256 464584ca55fc573670374eb7bd002528835812e276f9d1c1b7b7ec2e2d2b4901
SHA512 86cd81881ead14fadedf5f2246ffe387d70e7750aec57647f3e3867ac736a376ba9f6359a9de82fbd4718cc7e39dc60f78ba00dd4f2b4a48b2fe6669213e26d2

C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe581f5a.TMP

MD5 3e2b247e899d4fa32bb5718136958295
SHA1 9f16df560eaa2bc3bbb0dc946e950f71da6c93a8
SHA256 a68fb25559d496e4240b5a17036d0d7d80fc0df49d188e2104a3c9e2d3ad1577
SHA512 f8751ac8bb017697e87ca936ab5cf088d5f75548eea16a4fe68e0a30bf8646ef1fef27d96dcab731d708dfc472f849aa1ee553313d4b021ff336f92ab0091362

C:\Program Files\Open-Shell\~tart Menu Settings.tmp

MD5 3c6fe8eed5a6e17e315cb21ad7ff8a94
SHA1 40f5dd5873289d8681873c094770543f34f9f8be
SHA256 9e7ca06dbb33f01ffcd08c82d181c046c4939d123912365c30bd765ac0a96247
SHA512 148cf9f32a161b8ae82530fc3f7793e37cd3e02c624420f02591fcf5136d0802d7505b6ded298d4dd5963d2ff375f24533e125a0e69c95ffbc012cf3d9bf8d93

C:\Program Files\Open-Shell\Start Screen.lnk~RFe581f7a.TMP

MD5 742f5875753a23a19a2457e0461a42bf
SHA1 3f93c0178aa8f49f16a57895a41d7f3ca2cffe1e
SHA256 e9db00dd5fc3c11b1602c0bbaa42ca2d3c9c549e65bb3cd230751528abe0a7d8
SHA512 7a616eb3a29f8cb3baa70d5f6b8c3ef050631edf27447eff4a116fd72644cffbba89db03bdd012648d1106e14c9f3ec63c12df6c23491918698bfe0f33357171

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 b573b1942204b1ac0fb8f32601e6fddf
SHA1 6bae1c8c1e79e0a0c87aca3f266d3010118182cf
SHA256 6361b8e170833db2bdcecfda42f7dcc1c767dbd07607a94ed1665d749923d160
SHA512 eae56ed501df0b818df924e8dda95d9581dac33a41353f1d7058a756b80071e892baa5803a392924bab955a9e803c0cd1f717234a83efe1e7473b4af9e47c938

C:\Program Files\Open-Shell\~tart Screen.tmp

MD5 bccfec85216143426249feb43cc824d2
SHA1 0008339e74d86f257ac1f3eff0a327a96a4d0605
SHA256 92c05bf84a5515aac435838919cc53ffb13df068902f424c918a935152732516
SHA512 319b5fabe5e5ddec0a8ff696161fece5c1c0c714f8a8d4195a9aca44221cee3b24fb5a199041d49567a02c284c0b4aeb322b534cbeaeda68808456d73900f943

C:\Program Files\Open-Shell\~tart Screen.tmp

MD5 917f72ec4a8d1cc9f792591a81436e41
SHA1 8d46a9b2327eb3cab53803721c49aadbbb0daf7d
SHA256 cd2aa1fd0c03c8dc0fbbc1953c382edc126f9ae3a9214a3a0a5f19cb39819dc9
SHA512 8202f238ac41b37b33d232b9f50b0a24ef4b4b463f17b82d7d3b8d9baf88ad0be3c46bd0639fd91a443197b49683046c7e31dd964a2f56c54e650a273397983e

C:\Program Files\Open-Shell\ClassicExplorer32.dll

MD5 a805193aed76942c667a798f9dd721fc
SHA1 3d2f702b16cb22d5918f6d51585a871fb3b3f900
SHA256 97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89
SHA512 0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

C:\Program Files\Open-Shell\ExplorerL10N.ini

MD5 6ed13b9c1719b252e735ba7e33280e67
SHA1 f3753deab4d99dbee4821a8a70fe6e978e1a45f6
SHA256 b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab
SHA512 f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

C:\Program Files\Open-Shell\ClassicExplorer64.dll

MD5 950ff69adc1b8eec1bd8d502615b0ba6
SHA1 edb3916b7ada6aa0e765c6f70c39e182b8d45dfd
SHA256 9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e
SHA512 f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

C:\Windows\SysWOW64\StartMenuHelper32.dll

MD5 b7c7f2bf76b2220839af735e2b58fefc
SHA1 16631df5f62096b039fc1996066805721b622407
SHA256 a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875
SHA512 6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

MD5 29221f620ea6b5893add15dd6c307684
SHA1 97c31bb9585a0896e1fcea8efa3f05ff16823da2
SHA256 53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84
SHA512 b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

C:\Windows\system32\StartMenuHelper64.dll

MD5 22c9a786f3ff34275c80876b8ac5cc10
SHA1 beb6f4f28b98910b2031c37d7cec385543045614
SHA256 b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca
SHA512 92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

C:\Config.Msi\e581c8d.rbs

MD5 bbc5a180ee0dea973c9b36b64d1851df
SHA1 6636e242086daa817918656337a5f3ed8fa77428
SHA256 1aefd01e8756f3f7219926e9031c447aec0f513a9d5910a2e58aad3d06ec9e25
SHA512 69110882a4cf2112fe62a83d4b4c0b5e61e06be25958107a78b938e01c24e6c7eef6f59433258ecfbc95cf3269619c35a65d1c18a86aabff6bfa2a18464fd8c2

C:\Program Files\Open-Shell\StartMenuDLL.dll

MD5 e29ab21b4d9266502677b9837ad23346
SHA1 939e7bb40623f04dd3d75f4685a543437512771a
SHA256 808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185
SHA512 7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

C:\Program Files\Open-Shell\StartMenuL10N.ini

MD5 673bb428b6d3fab8cba07890cad09d0e
SHA1 45039820289bdb485bb761e9b267f6de9e18a26c
SHA256 ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33
SHA512 2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

\??\Volume{7f79794c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f7ff9f18-bca0-42a5-8e2b-624fc2a9e09e}_OnDiskSnapshotProp

MD5 522fe93268ce2ceee08aa11033190967
SHA1 1b67f0a0d7349c4e605c019112dff24585f7f63d
SHA256 6ad5bdf17c0f720247b8db4af048d2d8264270096c4bbfc54e2dbe23b18a422b
SHA512 0d29a776ef011b1f9be17b2afbc43aec6b7988d24b9c5a5167f845ceb0d0bb199ae20162829eacc9672a0365651bf892d683e7292a4428b39c712d9c589eafb3

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 6f2b8b9c9c1149e1794107da3dd2c8ec
SHA1 39e5c44b0b7771cfa219296c2ee8b74767cbdfb3
SHA256 dfe37b0fbe6cd262b9402d9651b272d57db67d33a8c7e52d39fc10834e33f413
SHA512 bb8315a893a15bb1695710730e98db153948bb9e78f2429f75410cf6f0a6f5dc5072a541652e20fd1b679310cd42d967e61cf2a2ed9db1cc39c4bd102d786756