hxxp://workable[.]uk[.]com

Resubmissions

30-04-2024 20:59

240430-zspv5aff61 6

30-04-2024 20:58

240430-zskleahd78 1

30-04-2024 20:50

240430-zm2bzahd23 1

30-04-2024 20:47

240430-zlb1pafe5v 10

Analysis

max time kernel
193s
max time network
185s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
30-04-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://workable.uk.com

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
14	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133589843579964710"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	AppInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	AppInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	AppInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	AppInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	AppInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\MuiCache	AppInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Workable_4.12.7.msix:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe
Token: SeShutdownPrivilege	3836	chrome.exe
Token: SeCreatePagefilePrivilege	3836	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
716	AppInstaller.exe
4780	AppInstaller.exe
4064	AppInstaller.exe
4708	AppInstaller.exe
1928	OpenWith.exe
1436	AppInstaller.exe
4028	AppInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 3740	3836	chrome.exe	79
PID 3836 wrote to memory of 3740	3836	chrome.exe	79
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 4684	3836	chrome.exe	80
PID 3836 wrote to memory of 3712	3836	chrome.exe	81
PID 3836 wrote to memory of 3712	3836	chrome.exe	81
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82
PID 3836 wrote to memory of 1020	3836	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://workable.uk.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97cdeab58,0x7ff97cdeab68,0x7ff97cdeab78
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:2
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2880 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4152 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4928 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1768,i,6318672818976442438,3418898295962369332,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4648

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4840

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3216

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f89d126e459bb7a55fd35bd9571c06c6

SHA1
dec2d55941d1828d4535554699077509b301e11a

SHA256
0148a1c613181a9262e1c1d0ed0c2eee2d59cb713d5b04698ec12794fbc84d5c

SHA512
4b3a10028387be12bb3ddfab26b48189aa3217076600d1b9ac38d6d0dca9a8c8c55743629e8a5bf9adb26217a641ce2c2c2736f2f576eba843bd3ff6ca9323b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7a007805683113d9c6c90d6cb960e476

SHA1
b440805d0f0b596211f32990125ea21c3b59ee55

SHA256
5c8bf36820b447ab7afcbc8a8273841146381279bf4d4017bb265e0facbc8742

SHA512
3ec4a9b7c84e944c522a18b2d3350314e6891e5d4bec931dc3a35ebac5d2696ebf0fb1bc3a6975c12b3969116be22de0702b4d7be08b7645f9ba77cd5f21bfb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4a07ae42c4f978cc8b19cb47851baef7

SHA1
0b769d38632b0a8ae10645b672516f597512dcb2

SHA256
f96d9bcd0098e1aa2c4ec3eaf1495ce256c65c493906464eba8641ee8bfadeda

SHA512
cf1bb292fb8f165508a9e01c42c49decdb9a718d3b07fe72b11657d5e6cd53b8e8acb6e383b4e3111e5391aa59eca4e4e2d7a831ccdca6266d1d2127115ec353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
cb6acfcb5c1f69fd7ec83c85a7748a6d

SHA1
68be554c02c1853d3e6d4a28a5b61425495d87ac

SHA256
d3609f7e42fb2cbe6bdb08f70f31ac077eaceefd7673e6429b31abcd63d3c712

SHA512
3f784796a92d2f58a0564c3c7d0f3df9e46b52cfa6a2bff298283bf5fe4596732960ccb2746c29aee08706096d8adc864f0468246f9aad68bd63073e3f112552

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
37818a161a5525ba68ebea05be8091a7

SHA1
7057786520738b802c157c7350404bc21bbc42e6

SHA256
bd806a98d1d8d352c92a9ed42a42ed9dd46642fe16e26b784d0653b1db70483f

SHA512
d58ef08f360c5d69ddd50cc42de9e5881fd2f27a2728580485cd7a4952abc64253dce50ecfc851f129707d17bc3ce36661c8cbee2aba9c25f304244b90f8e6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e1a5.TMP

Filesize
104KB

MD5
f40ab1f9b00dc19f858a299b3c6f53c1

SHA1
35d5a31e8c1e9908f5d9129be412813a2b42bfa1

SHA256
8d2bb16dfa4f2c6b33ffd422cc12c2d780d5c700d6340ce7f345bc4d85bd2443

SHA512
15ec2d656a8cd54ea4cf8f2f34b5c769251e77f3f1e0d786bf270984809cd726c77a99fc799179fa4a2d48fa9a31b662875b66e00d453ad299750c4a60dc0ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f5491062-3e9c-425d-b76f-57ad3e0f1dae.tmp

Filesize
130KB

MD5
da2bde443c4cd4e5cd376a4c63f8b85d

SHA1
048a61e05271898a3239ab5316a3db0e9322a594

SHA256
f4dd24169e4df4053a733dca42a8ea42f5228fdc9e313461bbda75165e833474

SHA512
6d35085558cc6c38512b6c7e5b99badc3817418cf909c94e03b62d5ec2ddd2baef42caae86c6fb0fe5937fcc4e4326ba4de9b14c1da1d475cee768e77e6ad3c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
b502daf765d27c72fc4b3d58f0f17bdc

SHA1
43257dbf0b19d9eee3e224cc75f77fadeb2b2733

SHA256
5577d7cacaa928f82d2993989300921e805f781e6d4b8cea2cfad89f5e9fb442

SHA512
1225251af6f8e8d0d24b7336feaa644adabf168dad2674c9a3f61328d370162d96ae2359a41f64afe494818b020724bc31e3e18379105553bd480e9fb05f3a39

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
afb3b83270b5045ed4a939932986e0f9

SHA1
7fb3efa7f989c20d1fc8764274f622fda19cea02

SHA256
015e184d28800715eb3528004875b69e52cb8aeaf15bc3dfeb33d927f640ca6b

SHA512
be277d64713a1474ef5d9454aeaa552f3eb3edfe4828828936e900b98f35d37a79f37543eab6bb290e852cf7ccf5a25b0a8f7d23601160fb4df39f7d060610b8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
eb3889425872b7c141ca8ab31991b1a0

SHA1
f6d0e510752c04d83d9e844336c8038cef1a038e

SHA256
af4a4c8557141b5d395e1639ab7da216b57db885db86f00f2f7c6b3772740438

SHA512
5fea91f0c9f9cf72a923820b1adc3765307ddcceecc88a997758487acafb436b9508747d6e9431923f17fdfb19625f9b47a2d326f6134bf7686c7bcd53e41bf2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
600fec2d4756fa3a2c3e46b500839216

SHA1
5383b107c1e79d3106850e85948fe9714b0352e9

SHA256
1150dd5bc52f7ea9d9702a60f9c236ebc82762349d83e3b7be20a541fb6cce75

SHA512
a746e81123b8125deb34850fe20d3064cb0f63ae62858139ad312a7153d300c6f7d2aa29194e81991f16dc09046c21299dc8394f96a4e277ae1268928be92d71

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
909B

MD5
d44fcee27ff173ae86e503820a5d3779

SHA1
a1c8cbfa20f2511f0835296c3d28a25430159acc

SHA256
047ca1a4e098024c63bc3f2ea76e4b88373e87a8d34cc22cc4d41615cee2c49f

SHA512
c84f92f4d85d67ec37c0dd7a46f358f4543c2332d7d5ef482189aa9b1c46f31fccb7badacb1600810f9a0f532b7324e252406f792cd71801c609618ccc44ca89

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
b2f2d37eea1e4af57dbc21a493ccbf69

SHA1
373f6782043e80299381fa461c45b888fed2353a

SHA256
475abc1cbcc28974417632a3a25300e6ef90508274db60b62343947e1ba18cb9

SHA512
c42279a0544304310a89f91581cc074de0c25793fe1344376139015cb9868f659f6f33b0930bf5fe09d303cefb487ba28005742c86c4b97d4f3953211d3d2b7d

Download Submit
C:\Users\Admin\Downloads\Workable_4.12.7.msix

Filesize
1.0MB

MD5
318bf7ea84487c8a63a3996e24494455

SHA1
243ed6b028aeb2c94eeafbffcad193f43b808444

SHA256
184a400fe334027ff287ad0cf83c165fdf4605507c83ec054fb2b544f877163c

SHA512
930738b8da136831754b076374e0c6d215608d271501418bae142279c915d51df447b44ead4414e7f4995c8ef756b3b2e489ae88d72d7e98e40cbf8dd0b3d83c

Download Submit
C:\Users\Admin\Downloads\Workable_4.12.7.msix:Zone.Identifier

Filesize
121B

MD5
c40f7cc3551e49ea0470bcc2152a38db

SHA1
49a68446ebaffb6c26c78e6f4b448fa1063480de

SHA256
1a9629777db42daa12483fb6b1817936bd1e358a53207639fa81cbe41b90b0d4

SHA512
457eab10f2f5439379e26683834292657dae916cb44327ddbc6fa04e46bf5814f2f976520333d072c593e30f90a797de66855f8d054eaab12ef74f1344e73f6c

Download Submit