9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

Analysis

max time kernel
99s
max time network
177s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-11-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpenShellSetup_4_4_191.exe
Size

7.9MB
MD5

e0484fd1e79a0227a5923cdc95b511ba
SHA1

bea0cb5c42adbde14e8cf50b64982e1877c7855d
SHA256

9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
SHA512

80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431
SSDEEP

196608:B+s5T8f3Hb+IcrthtV80y85WDe+qHw7aJvRt5Oj8GWDAqr:BbT8j+9JkNDJQGuRFDj

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
6012	StartMenu.exe

Loads dropped DLL 6 IoCs

pid	Process
4568	MsiExec.exe
1052	MsiExec.exe
3776	MsiExec.exe
2800	MsiExec.exe
6012	StartMenu.exe
3584	Process not Found

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun"	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\StartMenuHelper32.dll	msiexec.exe
File created	C:\Windows\system32\StartMenuHelper64.dll	msiexec.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Open-Shell\StartMenu.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe581f0c.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer32.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Midnight.skin7	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe581f1c.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShell.chm	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Basic.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer64.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\DesktopToasts.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metallic.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Update.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Full Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShellReadme.rtf	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe581eed.TMP	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorerSettings.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Smoked Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuDLL.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\ExplorerL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\PolicyDefinitions.zip	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuHelperL10N.ini	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e581b65.msi	msiexec.exe
File created	C:\Windows\Installer\e581b63.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581b63.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenShellSetup_4_4_191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006b382b850f3dc2e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006b382b850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006b382b85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6b382b85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006b382b8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\VersionIndependentProgID\ = "ClassicExplorer.ShareOverlay"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\ = "ClassicCopyExt Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win64\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	StartMenu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\ = "ClassicExplorer 1.0 Type Library"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\ = "StartMenuEmulation"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID\ = "ClassicExplorer.ClassicCopyExt.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\ = "ExplorerBand Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\VersionIndependentProgID\ = "ClassicExplorer.ClassicCopyExt"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\CurVer\ = "ClassicExplorer.ExplorerBand.1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE47A977ED3217C4CA21E25E5A24DE43	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ = "ShareOverlay Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\OpenShell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{65843E27-A491-429F-84A0-30A947E20F92}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{65843E27-A491-429F-84A0-30A947E20F92}\ = "ClassicExplorer"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\CLSID\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}\ = "StartMenuHelper"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\Programmable	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer32.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ = "IExplorerBand"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ShellEx\MayChangeDefaultMenu\	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win64	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\PackageName = "OpenShellSetup64_4_4_191.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\CurVer	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer\ = "ClassicExplorer.ShareOverlay.1"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5448	msiexec.exe
5448	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1884	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1884	msiexec.exe
Token: SeSecurityPrivilege	5448	msiexec.exe
Token: SeCreateTokenPrivilege	1884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1884	msiexec.exe
Token: SeLockMemoryPrivilege	1884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1884	msiexec.exe
Token: SeMachineAccountPrivilege	1884	msiexec.exe
Token: SeTcbPrivilege	1884	msiexec.exe
Token: SeSecurityPrivilege	1884	msiexec.exe
Token: SeTakeOwnershipPrivilege	1884	msiexec.exe
Token: SeLoadDriverPrivilege	1884	msiexec.exe
Token: SeSystemProfilePrivilege	1884	msiexec.exe
Token: SeSystemtimePrivilege	1884	msiexec.exe
Token: SeProfSingleProcessPrivilege	1884	msiexec.exe
Token: SeIncBasePriorityPrivilege	1884	msiexec.exe
Token: SeCreatePagefilePrivilege	1884	msiexec.exe
Token: SeCreatePermanentPrivilege	1884	msiexec.exe
Token: SeBackupPrivilege	1884	msiexec.exe
Token: SeRestorePrivilege	1884	msiexec.exe
Token: SeShutdownPrivilege	1884	msiexec.exe
Token: SeDebugPrivilege	1884	msiexec.exe
Token: SeAuditPrivilege	1884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1884	msiexec.exe
Token: SeChangeNotifyPrivilege	1884	msiexec.exe
Token: SeRemoteShutdownPrivilege	1884	msiexec.exe
Token: SeUndockPrivilege	1884	msiexec.exe
Token: SeSyncAgentPrivilege	1884	msiexec.exe
Token: SeEnableDelegationPrivilege	1884	msiexec.exe
Token: SeManageVolumePrivilege	1884	msiexec.exe
Token: SeImpersonatePrivilege	1884	msiexec.exe
Token: SeCreateGlobalPrivilege	1884	msiexec.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeBackupPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeBackupPrivilege	2800	MsiExec.exe
Token: SeRestorePrivilege	2800	MsiExec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe
Token: SeTakeOwnershipPrivilege	5448	msiexec.exe
Token: SeRestorePrivilege	5448	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1884	msiexec.exe
1884	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6012	StartMenu.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1884	3144	OpenShellSetup_4_4_191.exe	81
PID 3144 wrote to memory of 1884	3144	OpenShellSetup_4_4_191.exe	81
PID 3144 wrote to memory of 1884	3144	OpenShellSetup_4_4_191.exe	81
PID 5448 wrote to memory of 3408	5448	msiexec.exe	96
PID 5448 wrote to memory of 3408	5448	msiexec.exe	96
PID 5448 wrote to memory of 4568	5448	msiexec.exe	98
PID 5448 wrote to memory of 4568	5448	msiexec.exe	98
PID 5448 wrote to memory of 4568	5448	msiexec.exe	98
PID 5448 wrote to memory of 1052	5448	msiexec.exe	99
PID 5448 wrote to memory of 1052	5448	msiexec.exe	99
PID 5448 wrote to memory of 3776	5448	msiexec.exe	100
PID 5448 wrote to memory of 3776	5448	msiexec.exe	100
PID 5448 wrote to memory of 3776	5448	msiexec.exe	100
PID 5448 wrote to memory of 2800	5448	msiexec.exe	101
PID 5448 wrote to memory of 2800	5448	msiexec.exe	101
PID 5448 wrote to memory of 6012	5448	msiexec.exe	103
PID 5448 wrote to memory of 6012	5448	msiexec.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe
"C:\Users\Admin\AppData\Local\Temp\OpenShellSetup_4_4_191.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  PID:3408
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4568
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1052
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3776
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Program Files\Open-Shell\StartMenu.exe
  "C:\Program Files\Open-Shell\StartMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581b64.rbs

Filesize
19KB

MD5
aece0585c07dc13cd9b6b6d8db424a3a

SHA1
9437917e695687d65da20ba14d4b52e40b915543

SHA256
659bd190bdd30933393f8b15c85535df9131537779df24e9d6aea65b97398bdd

SHA512
68d0c166e528248df9548726f1c8a49e726e45549c356cd19996924de68f25b365b86dfb68eb1b2f1fd7fbc739ed6c5f60e90518cd2573de922d59709571a4b7

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer32.dll

Filesize
863KB

MD5
a805193aed76942c667a798f9dd721fc

SHA1
3d2f702b16cb22d5918f6d51585a871fb3b3f900

SHA256
97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89

SHA512
0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer64.dll

Filesize
964KB

MD5
950ff69adc1b8eec1bd8d502615b0ba6

SHA1
edb3916b7ada6aa0e765c6f70c39e182b8d45dfd

SHA256
9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e

SHA512
f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

Download Submit
C:\Program Files\Open-Shell\ExplorerL10N.ini

Filesize
98KB

MD5
6ed13b9c1719b252e735ba7e33280e67

SHA1
f3753deab4d99dbee4821a8a70fe6e978e1a45f6

SHA256
b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab

SHA512
f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk

Filesize
1KB

MD5
31058d2fc4fe66e5c30ade3e2af986e1

SHA1
042bd833000cc57fe45db1782db8af1670ef12ca

SHA256
8afe7202831a9597ec981cd6003de71bd03d8efa4fa36198aaea41caecf063bb

SHA512
4dcccbb6a20c35ea8753224110777d51e53f51349aa8353d8a6c5543822f23de66ad68e1b59d04bdab4942ce9ef224904ba55e71861a86fa3cb45ef254936788

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe581eed.TMP

Filesize
1KB

MD5
314e3fbcc11216d4d5a81d586c1dd9e2

SHA1
fcc92b3e56f7dbbdfd6a56922d7af1b921b51e23

SHA256
097a2efab50fdd9e428cb86edab6055b2abfdcea465d8228f90921c052509170

SHA512
c84cbc182708626bf8f3c187eb6e49ed9df84c390b9d6d7e222a89ea9c42a999361002741973e94e08386de9ff650189399addea657aefa588f1d9883c13781b

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
1KB

MD5
8955144decf085cf1bbe50bf534cbde6

SHA1
482737fbe6acc74d59c44fb4739429ef61078b72

SHA256
cf17b08fc9dafb5a5d7b7a9a8b642c4210df5aa34aee0cf73db2f2152b26b629

SHA512
73e19f13d28ee3780e801159b051cc3381bd495156f7040632b912afe4906c8eb351c12de381219a3b9a339b76069e50eee263c8bc6f99620f05a63391715b63

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
d656408e9e26c6789cf1e64768ac072f

SHA1
939361d6ebfd216fd0db891cfd30bc950f47682f

SHA256
caaa10c1cefcd2dc1d130d350f172f6da485ddcdc58b62287c6046f536b5142d

SHA512
328bd6fca691f1f235efd839f05cab682a39bd4a05008a84a5fa10cebaf9eb7c341a9d9526201f3c4ccb2844203ee33298d408ab7e4280dfae2f29282c4278dd

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
a6155a47f9d781c16c65f1f5911b1793

SHA1
fb3d84b4c48eeb14a9d5b9c17318ad15598b40f3

SHA256
0181251cb63ccb2fd613e2d31d86de85f8f127967fff6c4ad02d04cc07a9266f

SHA512
391893733330523a90a0f93cd1b282bc27ed7f7cd0c95db39b1e6a6d6ff6f2a28b63b6d3e4181e5bb4bd673c917e10e464f087518d638ec5e7470a4e57102284

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk~RFe581f0c.TMP

Filesize
1KB

MD5
b542e48638da5c7d1c40f8319eb56223

SHA1
7bbe16b9b87e7112673ba30c2f17a82a5fb05b8b

SHA256
8333404eee4074a0969badefe5c72e24e82fd444531cd0c973015988be6f3b23

SHA512
6be2fa1851f4b4b08b47ce1b7c84ad7ba89456deed45d33f41ca02b26e96dde47a3ecd9a5a7728a7cc1a1ce5b1400615af989d2581050fe9b544351b38a2b840

Download Submit
C:\Program Files\Open-Shell\StartMenu.exe

Filesize
259KB

MD5
9aca92d31344210995d18ac75f7df752

SHA1
fec9f414f3c399f8384ad6a32d0b60adde85d8d9

SHA256
df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf

SHA512
ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

Download Submit
C:\Program Files\Open-Shell\StartMenuDLL.dll

Filesize
2.7MB

MD5
e29ab21b4d9266502677b9837ad23346

SHA1
939e7bb40623f04dd3d75f4685a543437512771a

SHA256
808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185

SHA512
7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

Download Submit
C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

Filesize
11KB

MD5
29221f620ea6b5893add15dd6c307684

SHA1
97c31bb9585a0896e1fcea8efa3f05ff16823da2

SHA256
53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84

SHA512
b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

Download Submit
C:\Program Files\Open-Shell\StartMenuL10N.ini

Filesize
286KB

MD5
673bb428b6d3fab8cba07890cad09d0e

SHA1
45039820289bdb485bb761e9b267f6de9e18a26c

SHA256
ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33

SHA512
2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

Filesize
1KB

MD5
9be199179ddbf7fb1cb031e02b7810a2

SHA1
2763d43e843db623e8ac66a0291f8ab6966db458

SHA256
50cca3af6bd371d98287d22605fb3100732f01bd93a855a6ac26bbcbffeb571e

SHA512
19cec6dc1eb6b7ac3542586d2b19b9eb9e0c2d3db0cb967f523d4fbc39b629e6c00f0c5f897f5aaa3d82d79103476502de489ce77788235f2516d59fb2cb0cb8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe581ebe.TMP

Filesize
1KB

MD5
754f1a1fb76a81a57ba106d7ac471ba0

SHA1
a0c2cf4fd795b782a6e74445cd5bbd3b2700fc97

SHA256
9fe682374af22ad10027d5697cf78ca5de4d768f94b075226457bab5a02b18cc

SHA512
d529fc0feb72497575bf04f24bc38dc4aa335b766d334fdeced128da44276f062c49b4e403b7912783ae728dae1935c54c551e01a9b7013e142369b6c1f27f76

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

Filesize
1KB

MD5
d0c731956cc3c4db5d7b4312afceef58

SHA1
e45105773341184cb6562f7c1dc63a1f61ee8fb2

SHA256
35d210d3dfa89109ca33851f4181cbdad9e928c171c37106f8cb0d1879eba344

SHA512
6f09610df0220b9b9f551c2517eccb4ad862b3b1f0f25c0c0010e2d10d69a7d01c5a285a1c2564e9cf4170ae058750310e5759d181a0b90d4e572a6e8cd035ad

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe581ece.TMP

Filesize
1KB

MD5
e3865a2c2c786a91d0162c79c1aca3c8

SHA1
899530be5d29777d62c6f71aa960334e74deb495

SHA256
5ed02b3674d15264fc9f409abc7150d48486d8478d00eafcbe44fb93c6db7dbb

SHA512
1d4278b0b4db08dc1f856aa579e015b9078304ee1bf46edda2566f405ae936494e92c3f5297b8c90e926714201305586a76adc892dd181c440ac33508406ec42

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
6638221f57c3c89df9406a83568c6a15

SHA1
bfccaf5d8c3e922e7ed84bda5b1dd2af1a294b8b

SHA256
b27b99311a5d9779120417c7d47dd4f6d310381c34a5415fc7177e7fdf5c3cf8

SHA512
184f8a521dbdd8d7e709a7656af720f0207724975e61b064a85b1dc5bee530257e43b5e1e306211fa8c6105184ff1a3592a799072b4389a551238b84da910051

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
4d713bb470b4577521b845d57eca1e66

SHA1
5d4060386decba1b12aecf94b1e0f321c7b062eb

SHA256
3e6093f2564ec40400ad0a441a4981481804de4088dd615073996534b3918fad

SHA512
fae241efe18c0d2e60191d4537c673d98f75cb75dc62ec96834814a807a2bea2f6eb62d0a25bcaa875fbb4df0e271e60462add75fa678e43e996f98afd1ef277

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe581eae.TMP

Filesize
1KB

MD5
66eb13ba257abc2a8e06c49a1f20d60f

SHA1
bef0002947f04f5d96900f5649209dfa4e2c6b60

SHA256
8e885371a7da2380639960a0ef2e7a228803e85990ba2d347ef5acefd0e0f449

SHA512
0292e81d2f9b4c572cfff1006563e2c194eeed9f7e9ea1d728c1e189757842c34efbf79b75a3851f3067454a993545d16e1389af9ff24a92eee8651e09dd0ce0

Download Submit
C:\ProgramData\OpenShellSetup64_4_4_191.msi

Filesize
5.3MB

MD5
cc25bc2f1b5dec7e9e7ab3289ed92cc7

SHA1
449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2

SHA256
25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313

SHA512
e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

Download Submit
C:\Windows\SysWOW64\StartMenuHelper32.dll

Filesize
351KB

MD5
b7c7f2bf76b2220839af735e2b58fefc

SHA1
16631df5f62096b039fc1996066805721b622407

SHA256
a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875

SHA512
6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

Download Submit
C:\Windows\system32\StartMenuHelper64.dll

Filesize
426KB

MD5
22c9a786f3ff34275c80876b8ac5cc10

SHA1
beb6f4f28b98910b2031c37d7cec385543045614

SHA256
b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca

SHA512
92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.9MB

MD5
f3850f39d6377a38bc277536dde95a5c

SHA1
e8049f73c950a3bad79dcc4856d1f56e93becff1

SHA256
7536c7a81bfe16bb4847671d849e97fcd039eb5a825d987717901b04283db4d6

SHA512
ed2b3c5a4effe76bb5664313ce5b8f80e9aaf2c7850c46f4180c24c818e4219eb7c4d3970bf40cf105b92ab38cf1b7311de3040af36ddeff0ab4cefa1d26ef23

Download Submit
\??\Volume{852b386b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bbf54f04-479f-48d2-b40f-d48f63087acb}_OnDiskSnapshotProp

Filesize
6KB

MD5
12737097acbafe47802ab910ea9ab052

SHA1
3770ceeeb1fec4ad413f76dcbc3cf6ee3318d385

SHA256
33a0ff7588c2d1ca44562b3d34af40c4a9ea78add436de43f7110dc8466799a8

SHA512
414cd0a7b702850aba52de217a646dc580de8e22c9c21af991582b8143c1ac8a7a1f2ffcc61f298ae69537952546786d8eab5fa2b29d9bde8a09156d80fe3b06

Download Submit