7638cea93334af3658ccd523affd183a8eac3fc833a31f4dce7a53648fb88ef3

Analysis

max time kernel
132s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2025, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nikkellegering.ps1
Size

53KB
MD5

daee23494cb2039ad5ea0486945a0df0
SHA1

f6982455b15c62ba79500f3f1c953c7c30ad3ddd
SHA256

c2d9b8b50e800c97958e1680266d11587e46929325ce7895705bb1798a03b6c8
SHA512

b657ed6717e21cbcf74fc463a869c53fa55b4a3deb4dbb7585bcbef89156cf7626a778f7e83377a0cdd585ef2de0e8d8ce06e86b31f38733e60030b6f2f5e779
SSDEEP

1536:GHEsoBAs5bKMWGq2l907lCSYe2XcTitVsSfTl:tv5uMWGqGCCC2MWfTl

Score

8^/10

execution persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1156	powershell.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3833542908-3750648139-3436651901-1000\{0BECE780-2187-439C-8C37-24000394F277}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3833542908-3750648139-3436651901-1000\{D2856D4F-B79B-4B05-91AD-5313139363A3}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3833542908-3750648139-3436651901-1000\{57A54C10-29EA-4C72-AE84-2C9C594226E6}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeIncreaseQuotaPrivilege	1156	powershell.exe
Token: SeSecurityPrivilege	1156	powershell.exe
Token: SeTakeOwnershipPrivilege	1156	powershell.exe
Token: SeLoadDriverPrivilege	1156	powershell.exe
Token: SeSystemProfilePrivilege	1156	powershell.exe
Token: SeSystemtimePrivilege	1156	powershell.exe
Token: SeProfSingleProcessPrivilege	1156	powershell.exe
Token: SeIncBasePriorityPrivilege	1156	powershell.exe
Token: SeCreatePagefilePrivilege	1156	powershell.exe
Token: SeBackupPrivilege	1156	powershell.exe
Token: SeRestorePrivilege	1156	powershell.exe
Token: SeShutdownPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeSystemEnvironmentPrivilege	1156	powershell.exe
Token: SeRemoteShutdownPrivilege	1156	powershell.exe
Token: SeUndockPrivilege	1156	powershell.exe
Token: SeManageVolumePrivilege	1156	powershell.exe
Token: 33	1156	powershell.exe
Token: 34	1156	powershell.exe
Token: 35	1156	powershell.exe
Token: 36	1156	powershell.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe
Token: SeShutdownPrivilege	1224	explorer.exe
Token: SeCreatePagefilePrivilege	1224	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
664	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
4660	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3684	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4632	StartMenuExperienceHost.exe
1840	StartMenuExperienceHost.exe
904	explorer.exe
3020	StartMenuExperienceHost.exe
2760	StartMenuExperienceHost.exe
4588	StartMenuExperienceHost.exe
2436	StartMenuExperienceHost.exe
2996	StartMenuExperienceHost.exe
3988	SearchApp.exe
4624	StartMenuExperienceHost.exe
2060	StartMenuExperienceHost.exe
4748	StartMenuExperienceHost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Nikkellegering.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:664

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:2244

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1256

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3604

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
7aaadc7ca9d8790a6df8b66fd7157e20

SHA1
8a725cd8b88cb9f52e77abc7053c5982e80562bc

SHA256
0894ae9a08bd782fab1737f206a300adfaa5030fa357d487997cf69c9cd3685f

SHA512
0bbcd2b4feb2504023cf5385aeef6f88b6be5143512db0cb0c473b26b11ec34424f9d72866b1aeeb8093a9d751c2b8bb520ab9bbba003ecd0a5f12ea7cc3d399

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133891105764389666.txt

Filesize
87KB

MD5
02db47ab7df61b94968e7a13bd6ff84e

SHA1
7dea73aaaf86cc66721699e551349d96c9d8a41d

SHA256
75724dd71ed1dd2b3faed1374ae9631f0c13ec062de61ea14a584a89653b84fe

SHA512
34d0e2e9e9d9994b75f1bf8487f0318b83e65243324fb9380447f540764274f4f7146c71a8992f8f62ae8d9e546d209e47242c5a847169bb6516f4235dac7f88

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\66W14BXJ\microsoft.windows[1].xml

Filesize
97B

MD5
a5837db9f96a9822ee817e2e770863fa

SHA1
0d89d11901144c9d00bb456850f2ae4ea8d394a6

SHA256
03474fcde1d0c3a93531facb00bc83d1cdc56843612379354319609a4c571882

SHA512
0d21f55e8d831e815d24a32c06c3ecd660f9149acfa6bae4984d5ac3f800ce9748853de0053789fe3f704bd6f801a4d2f0d9259a278c1a5f5069db9486040e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tacmkgmx.e4x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/664-45-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-51-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-52-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-49-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-50-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-46-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-37-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-47-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-48-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-44-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-43-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-41-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-40-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-42-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-39-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/664-38-0x0000000007B50000-0x0000000007B60000-memory.dmp

Filesize
64KB

Download
memory/904-69-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-61-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-58-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-57-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-56-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-71-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-70-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-60-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-63-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-64-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-66-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-68-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-67-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-65-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-62-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/904-59-0x0000000007F90000-0x0000000007FA0000-memory.dmp

Filesize
64KB

Download
memory/1156-0-0x00007FF9A5D23000-0x00007FF9A5D25000-memory.dmp

Filesize
8KB

Download
memory/1156-20-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-19-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-18-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-16-0x000002673AF90000-0x000002673AFB4000-memory.dmp

Filesize
144KB

Download
memory/1156-15-0x000002673AF90000-0x000002673AFBA000-memory.dmp

Filesize
168KB

Download
memory/1156-14-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-13-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-12-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-11-0x00007FF9A5D20000-0x00007FF9A67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1156-10-0x000002673A950000-0x000002673A972000-memory.dmp

Filesize
136KB

Download
memory/1224-22-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-27-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-30-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-26-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-25-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-24-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-23-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-28-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-32-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-31-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-36-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-35-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-34-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-33-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-29-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1224-21-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/4660-88-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-96-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-91-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-90-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-93-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-97-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-98-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-92-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-94-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-95-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-99-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-100-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-101-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-102-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-89-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4660-87-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download