f45bcf726922fe01b71eb17cdaea8fcea57bdeefced3054e118732a41805f15f

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tox tweaking/niggers/openshell.exe
Size

7.9MB
MD5

cf93ef6708b8026ff44e5dfe26d6d387
SHA1

8b1666ce02c032cbdc1a7afcd1e9395a892da386
SHA256

31e616f27fad0c9b14a22c02ded2dc524411abf53d72c4136f22db1be0156865
SHA512

9d30881098f283bf478b56267623f3d4559ca7554fabdaf777458dec1368a4d6d84b8bd7ff0982060aeea85c69f8d160b2afcfbe5bbbffb2d425bc2a8dd63f52
SSDEEP

196608:4A+K5NrULkCZNxUmPYLWDYqqaUeqA923VnJEhqY1TUmPYbWDi2r:4A1rUIMNWmQaD/t7GVnJErwmQqDx

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
2708	StartMenu.exe
3256	Process not Found

Loads dropped DLL 5 IoCs

pid	Process
4528	MsiExec.exe
2968	MsiExec.exe
1576	MsiExec.exe
4652	MsiExec.exe
2708	StartMenu.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun"	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\StartMenuHelper32.dll	msiexec.exe
File created	C:\Windows\system32\StartMenuHelper64.dll	msiexec.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe57fc71.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\PolicyDefinitions.zip	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Smoked Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShellReadme.rtf	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Midnight.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Update.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\ExplorerL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\DesktopToasts.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metallic.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer64.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenu.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe57fc52.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer32.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorerSettings.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShell.chm	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Basic.skin	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Full Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin7	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe57fc52.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuHelperL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuDLL.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe57fc61.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin7	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{72CFBE38-4ACE-4D41-81FA-B01D8C4FD590}\icon.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE8FAEAB577495FC1.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{72CFBE38-4ACE-4D41-81FA-B01D8C4FD590}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF32853D491E25A252.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA36C9BB8F5255424.TMP	msiexec.exe
File created	C:\Windows\Installer\e57fa1f.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{72CFBE38-4ACE-4D41-81FA-B01D8C4FD590}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e57fa21.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{72CFBE38-4ACE-4D41-81FA-B01D8C4FD590}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF551609769A431F72.TMP	msiexec.exe
File created	C:\Windows\Installer\{72CFBE38-4ACE-4D41-81FA-B01D8C4FD590}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fa1f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openshell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\VersionIndependentProgID\ = "ClassicExplorer.ShareOverlay"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\StartMenuHelper.DLL\AppID = "{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83EBFC27ECA414D418AF0BD1C8F45D09\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83EBFC27ECA414D418AF0BD1C8F45D09\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\ = "StartMenuExt"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ProgID\ = "ClassicExplorer.ExplorerBHO.1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32\ = "\"C:\\Program Files\\Open-Shell\\Update.exe\" -ToastActivated"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBand"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83EBFC27ECA414D418AF0BD1C8F45D09\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS\ = "0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\83EBFC27ECA414D418AF0BD1C8F45D09	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ = "ShareOverlay Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CLSID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ShellEx\MayChangeDefaultMenu\	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\TreatAs\ = "{D3214FBB-3CA1-406a-B3E8-3EB7C393A15E}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\HELPDIR\ = "C:\\Program Files\\Open-Shell"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	msiexec.exe
2964	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2604	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeCreateTokenPrivilege	2604	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2604	msiexec.exe
Token: SeLockMemoryPrivilege	2604	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2604	msiexec.exe
Token: SeMachineAccountPrivilege	2604	msiexec.exe
Token: SeTcbPrivilege	2604	msiexec.exe
Token: SeSecurityPrivilege	2604	msiexec.exe
Token: SeTakeOwnershipPrivilege	2604	msiexec.exe
Token: SeLoadDriverPrivilege	2604	msiexec.exe
Token: SeSystemProfilePrivilege	2604	msiexec.exe
Token: SeSystemtimePrivilege	2604	msiexec.exe
Token: SeProfSingleProcessPrivilege	2604	msiexec.exe
Token: SeIncBasePriorityPrivilege	2604	msiexec.exe
Token: SeCreatePagefilePrivilege	2604	msiexec.exe
Token: SeCreatePermanentPrivilege	2604	msiexec.exe
Token: SeBackupPrivilege	2604	msiexec.exe
Token: SeRestorePrivilege	2604	msiexec.exe
Token: SeShutdownPrivilege	2604	msiexec.exe
Token: SeDebugPrivilege	2604	msiexec.exe
Token: SeAuditPrivilege	2604	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2604	msiexec.exe
Token: SeChangeNotifyPrivilege	2604	msiexec.exe
Token: SeRemoteShutdownPrivilege	2604	msiexec.exe
Token: SeUndockPrivilege	2604	msiexec.exe
Token: SeSyncAgentPrivilege	2604	msiexec.exe
Token: SeEnableDelegationPrivilege	2604	msiexec.exe
Token: SeManageVolumePrivilege	2604	msiexec.exe
Token: SeImpersonatePrivilege	2604	msiexec.exe
Token: SeCreateGlobalPrivilege	2604	msiexec.exe
Token: SeBackupPrivilege	4192	vssvc.exe
Token: SeRestorePrivilege	4192	vssvc.exe
Token: SeAuditPrivilege	4192	vssvc.exe
Token: SeBackupPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	4652	MsiExec.exe
Token: SeRestorePrivilege	4652	MsiExec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2604	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	StartMenu.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2604	2672	openshell.exe	79
PID 2672 wrote to memory of 2604	2672	openshell.exe	79
PID 2672 wrote to memory of 2604	2672	openshell.exe	79
PID 2964 wrote to memory of 2552	2964	msiexec.exe	86
PID 2964 wrote to memory of 2552	2964	msiexec.exe	86
PID 2964 wrote to memory of 4528	2964	msiexec.exe	88
PID 2964 wrote to memory of 4528	2964	msiexec.exe	88
PID 2964 wrote to memory of 4528	2964	msiexec.exe	88
PID 2964 wrote to memory of 2968	2964	msiexec.exe	89
PID 2964 wrote to memory of 2968	2964	msiexec.exe	89
PID 2964 wrote to memory of 1576	2964	msiexec.exe	90
PID 2964 wrote to memory of 1576	2964	msiexec.exe	90
PID 2964 wrote to memory of 1576	2964	msiexec.exe	90
PID 2964 wrote to memory of 4652	2964	msiexec.exe	91
PID 2964 wrote to memory of 4652	2964	msiexec.exe	91
PID 2964 wrote to memory of 2708	2964	msiexec.exe	93
PID 2964 wrote to memory of 2708	2964	msiexec.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\openshell.exe
"C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\openshell.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_190.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2552
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4528
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2968
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1576
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Program Files\Open-Shell\StartMenu.exe
  "C:\Program Files\Open-Shell\StartMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fa20.rbs

Filesize
20KB

MD5
f36eb96628f1ba54dedc34d5f5648dcb

SHA1
9747dc8ec6c5266db2681ed3b7a041e4988396b2

SHA256
aa0a59364983f6b7f5bfb02feaa374af6f6517b5b39e8a2d8fdfe183177de655

SHA512
7a2dd3bdb36affc8c7ccb5017b820948f643859e25e89e0cac4723dc8adae2e88909419ce48c41d279ea1a706a89bf7f0007ccb16a8f7572a4905922322d3ec1

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer32.dll

Filesize
863KB

MD5
4e8857fb490c01a686095785bbef5896

SHA1
975dd96ce38ad1ec0b25decf4c8d36d583a9f02a

SHA256
ba769f3ac5d06433babf0c260f9e6178834ebdad5bbd43bcdabe5ca3ea140d77

SHA512
e23bcc3809fa35a99aabf1fef54faeeaff491e5e7afa0e1a69c5ff2ee95fac02d6111fda6831964edae6b3cadaf17553a9cb4e1a0fa39e942e303b264f2c0f66

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer64.dll

Filesize
964KB

MD5
e668a04a52acc169c16717d4b1184f17

SHA1
1f6e4293c919bddc9e3cfa324724a07f309e95e0

SHA256
9c52a38e89a954d9e200fcd3a8b29fa92dd0239945902b817732e45c3a216f1f

SHA512
5f09aabc536b593c043b32a7d2400cbcd4e9b8e5346c116ff58337a30c6b8704e91551fbae57d3afdc32e14446c39f85ef4d2839fed9b6ab6c9fc0fa453ac720

Download Submit
C:\Program Files\Open-Shell\ExplorerL10N.ini

Filesize
98KB

MD5
6ed13b9c1719b252e735ba7e33280e67

SHA1
f3753deab4d99dbee4821a8a70fe6e978e1a45f6

SHA256
b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab

SHA512
f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk

Filesize
1KB

MD5
9ff8d9f5ff227d88c315b1cb039e11f4

SHA1
8b6949cf642f2fb4d81954b6b1e8d381aba03681

SHA256
50c2f6f5db017b37ca6723686c7ec179dddff386da8997b2d052f2d331f620fe

SHA512
143fbeda526bb827bf5b86eb29b79aaccc41d9a5977c13e647306831aa3b704d7d979ac1f99278017e83f88c6994ad106aa938b559c4c40ea595bd18a1f2f7af

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe57fc52.TMP

Filesize
1KB

MD5
011c61cee2c0116002f87d2947921379

SHA1
3d71959a7003aa87f5b8bac6d9e834729793a531

SHA256
48e2e6aac16e91fbe4398117d1cbd70453beb9f76e4bec48ad4b8b00a541d483

SHA512
c34b163e9fa332f091a2627f70c5f9d47383f328dc6d5198de32e2e4412847e874938d37a036372a97190692d5c39d26d5d0081fd4f596fb1ddfd228935cec9c

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
1KB

MD5
9ad98868b08f5e5d2d246925b94b9597

SHA1
c013f49ccf5dbebca809d22912e138629e53fa1f

SHA256
aef790d9a3965418cd943c8d7659254ebde36a873ae26edd4498227753d49823

SHA512
3c94bd00f13b19b62162487d14f0ae143b7d6b7fe775ae469ad8001cae743ed14fdb04d2307d005b5098e50a722bf4101270892cf4e5e3213e06db5808154038

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
24d4501d9dba54cd2379ba838586a72a

SHA1
1ed50051d23d199afbaabf60d14934dd59e7a55c

SHA256
32caee90aebba381dd7fac40330ac8e571a229a3895791160b26f6f3e0d49df3

SHA512
f987c1e1dbb024a7e25a0157276e00ee11d65e79994571a24a19a7528c00f670f096f5bdd8cc39081e0e5ba3f338b501b74046ec1929b30f482cba18481fa246

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
a50994ee7bbb23ac9a476e20b452836b

SHA1
27e9c84e5c924a777ae5b120ce0c338b7b1ac0f2

SHA256
52fc2bf080040b906f9a4b40bd22ed8e139359e42174c1785f013871851de019

SHA512
cae4ca12bcd3c908bf7d8537f743f322bca8b9765860381507238e511c7b9bff43c1399a6dca4f5d0d4f2b015cff23be8b6402b69659ee9989786a4782da8fbb

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk~RFe57fc52.TMP

Filesize
1KB

MD5
ad4181d7679e67532c0c14217c874c4c

SHA1
831c8c2052a94cea1b039f1fc31f8baa1d32d849

SHA256
e082f4570256edc5c29a71195ff563fb9540edd137e15816666ecc3bd73c3b12

SHA512
0216c6f34011253c385179dcd901d05f57bb9dff841f76313cd2fb8bbcd431b83618409608737e7325e131e023cb019b152cfec0d870db53c6202b796247a744

Download Submit
C:\Program Files\Open-Shell\StartMenu.exe

Filesize
259KB

MD5
6f7907b4b6e7332fdc29835198fe98d4

SHA1
4c7447137678209a1acbe58ef91db60f706e2b50

SHA256
08f505b325a67b61eb997cd45d61fb04851b6e6477110739a7cfc1ef5d290fae

SHA512
030f3b80f320005a27cab243573a704a46ed6cc342b2f9aef128511f132b9e1ffcf3759c44fe6252e045ce6368376cfddca5a8fab07664d9ea89acc9666e48b2

Download Submit
C:\Program Files\Open-Shell\StartMenuDLL.dll

Filesize
2.7MB

MD5
1a4b83094fa595506d8d33663edfd64b

SHA1
49956cacdec572f5311a23fcc9499a63943df0b9

SHA256
3a2898c5a1c71c42a95583ccd2ad72e30f43d815b3da3452b3d245ba5c0aa1e5

SHA512
ac48376c9085976eff72702136a94ff66c53ca58624b00557e39ed1accc4de074c9f7fed877f030b4936dde41faa627920a9b7332dd721adc38871778f08f6b3

Download Submit
C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

Filesize
11KB

MD5
29221f620ea6b5893add15dd6c307684

SHA1
97c31bb9585a0896e1fcea8efa3f05ff16823da2

SHA256
53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84

SHA512
b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

Download Submit
C:\Program Files\Open-Shell\StartMenuL10N.ini

Filesize
286KB

MD5
673bb428b6d3fab8cba07890cad09d0e

SHA1
45039820289bdb485bb761e9b267f6de9e18a26c

SHA256
ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33

SHA512
2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe57fc32.TMP

Filesize
1KB

MD5
1e46fc6993bc30e59779d8defc41993b

SHA1
1a6ef1c1600d2154261bd83dfa7816b76d493037

SHA256
8ae9d0ee7884564160f5fea841276e180888f59c9e2f6a2233bf3d7ae4c44b78

SHA512
3293e02928aea6c15dd295606a62e9e67e0818cea9bc0edff61019e6e39f2e444724d58286440ea0adf1a4f346fa2807bddfaa1a0fe435299b613e0e513b2020

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

Filesize
1KB

MD5
5d5c28deba7c8bfba062fe68f00090d6

SHA1
f9062f7cb4180c0a4796695b216b3380c0b136ff

SHA256
af6538484093c0cd2e5521bdc516400806a888afbcf82ace8a482b93d5d7265c

SHA512
7ec10beeb1de9bf71f96a94869b403a2cba4a4def6cf785fc146e190aab2698cf6a8b48636147c13f469192efaa8524b98c635572f23bbd9d05a9200ac1695c3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe57fc42.TMP

Filesize
1KB

MD5
f0309195576983f1a4fa09560ff0802b

SHA1
f1b6f1e2fb8f4f092c4603b5ec352802da1eaf4d

SHA256
ee82805563dc448be0b00ab94b5c2b5d32a4016c1887e2ae4e9d5acf9268b029

SHA512
9fdf3a62cca05cff4fc830cfe6bf2f2a629ec36bdb5c92d4eb4ab3bf2c125cc1abad6b81d8ed6367f69b31d4732bb665c3867d13b3bd38912f2de9eb13d06e25

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
3834ad08c1a6b29c8d936a5dc4cd7b05

SHA1
fa37c192bf8c91a56ac552134c59d5e36c7418b5

SHA256
205e91ed199eddb1d4d9019f1627d3af222f6c0fe25315a78c4009ad7104a15d

SHA512
93373574080c7b98b2b593180b4f4ed4b8ca2fb40e175b601a206d9190c7cbdd3ddadaee255feef10357e6a781b47ac8bf90f1976e45308b546db96ccd82147e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
a028ddf0e146f0688204cffd0045e094

SHA1
e41751da4bb3bcb45698e9e91ad9acb417b0b7ae

SHA256
009cde3813240f22eb47821b27e5b87e52f58b4b54c439a128784c29bf0da653

SHA512
b9aff4c0ebf6f3c35894ee46b9bbb110acc03faa7bfd5f4e05375c251dd4c9961b9194406819a837ea0311a669f4608a1eed32856449a3abad2e2a02c9cbf110

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe57fbf4.TMP

Filesize
1KB

MD5
2e8d7601da2c712845b0a619623236d0

SHA1
ce61d9972004df2734a4ce0e04b575f626b74a06

SHA256
d8adb9fe6ef74affbc2abddbaa6d5400cf5f74df2d402eaa465a7f79ec05d75a

SHA512
b45d8fe822ec60bf2e91648424e105f267ca54de9a2855289f8d0f7c5a0d15a192a3ab7c293b2aa0131cf69c517465fceea5c8a8afffef54928f34cb66c7daae

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\~lassic Explorer Settings.tmp

Filesize
1KB

MD5
4861c64735506e5e2f3a5f42fd9799ef

SHA1
f0266194a9575b2d2130ba6d71d41ef6e1e8413b

SHA256
5340d65c9b67531d5a4e90d234da33c409f8842477ea47fcc9e4ae04881e8e68

SHA512
43572c72a82e570dfb55cc5a60cf27655aac02502a2d65f1c6e794dd152e7331c26e0e10904595d13887e1922ad9987b3b4c6138908cf1ff1de032d9a03c23bd

Download Submit
C:\ProgramData\OpenShellSetup64_4_4_190.msi

Filesize
5.3MB

MD5
971e810ca9478a41252ff920520f108a

SHA1
5d0919ba92d0983afa4754c1659f5db619c84f1a

SHA256
7a22d669ffdd65e71c15f517af6c8013931a61e6da67b5642604fef61038e85e

SHA512
4c7b8a396ad3eea6f7294add7d2696240fe40910d166e59f51611cbd020430a675fb266256c09f95728fc7db563430ebc6c5d7c0d10bf8942c8406aeaf85d931

Download Submit
C:\Windows\SysWOW64\StartMenuHelper32.dll

Filesize
350KB

MD5
4bb413dd44c6cb51d04095d45c7ff040

SHA1
8048d8c2c012a7d967f9201b5be51221b0ed0afa

SHA256
4677b065ed62539047f893f96691ae07570b1ac7c2172c6705c053ba6f75a277

SHA512
9d4344dbde6ad8a8fab66c494ce13f8cf3b79b312a65f71c559093179a95c155586ed532fc3d8c34363bd0aea53236e3a2552371230c3c57071eab493a77572f

Download Submit
C:\Windows\System32\StartMenuHelper64.dll

Filesize
426KB

MD5
efb282fe9c98bfac6480575a211b02ff

SHA1
0b0a2e34f00c985a0574c47ff0c950f5e9db3f40

SHA256
84782c13c8d9fc68c2e86c204c2be99b846e39824096f64dd06b578841467d65

SHA512
7180ea2ccb5cd47398a009903450c9b4370bda4c73ddd5c11e4be5f6e0756e0466770df2ca82a1d5b78b619a90ffd17a88e15a9a5d073c3b5e97be9226c5b994

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
294519130546a80466ff3c0e2a5946f5

SHA1
b8cb2ce5f8f1f88dad6f5b23e0e04a7e3e281fca

SHA256
885d1fb6a6ad0f7e9fca4398f98701b7fb7a51643bb6abde6ca705d0f7d30cda

SHA512
daae8e17ce6dea907713d50218bc3a5bf37c0dbf216b4f9db44b396531ad2dfcce948e3435a18f97d6fa266c39d814d28b3815609e548fcc04bbd54705c0178e

Download Submit
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba5c64ac-94a0-406c-9d52-92ab82c340d5}_OnDiskSnapshotProp

Filesize
6KB

MD5
72d7187019a10ec7abbc644b6f84c9bc

SHA1
7f6b79906d304dce52510a2e654f7ab40e0d043f

SHA256
e528e1522270804a5e5d948217fcac95d4372224bc49b24d0103e18f00dada85

SHA512
5886b024309e92382244cff00cc7e2cd2daf0c65180604984222c4138802de49b5155d4b90226f3cb61314825c111c90a6fa6b4e32899cc2da00ab9c0a50fcc2

Download Submit