netsupport | hxxps://eprst251[.]boo/files/Asana[.]msix

Analysis

max time kernel
135s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01/05/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eprst251.boo/files/Asana.msix

Score

10^/10

netsupport rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://asana.com/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	1532	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4524	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\asana.com\Total = "34"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1df1d99e009cda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\asana.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\asana.com\ = "34"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 50855a15339cda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 68e607b0009cda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\asana.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\asana.com\ = "36"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000062020fbe9c9fc1c9f4731ef0fff259a2c281a1d670b10ce8718e75bb77b3ebb26a10679d87958bb93a32caa74a9fdb02003888838e86d7380b27	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 5eb1c8a3009cda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b8f9fbaf009cda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ac6b76c3009cda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\asana.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Asana.zip.pgmk2zk.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3392	MicrosoftEdgeCP.exe
3392	MicrosoftEdgeCP.exe
3392	MicrosoftEdgeCP.exe
3392	MicrosoftEdgeCP.exe
4740	MicrosoftEdgeCP.exe
4740	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5084	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5084	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5084	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1876	MicrosoftEdge.exe
Token: SeDebugPrivilege	1876	MicrosoftEdge.exe
Token: SeRestorePrivilege	2768	7zG.exe
Token: 35	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeSecurityPrivilege	2768	7zG.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	powershell.exe
Token: SeSecurityPrivilege	1532	powershell.exe
Token: SeTakeOwnershipPrivilege	1532	powershell.exe
Token: SeLoadDriverPrivilege	1532	powershell.exe
Token: SeSystemProfilePrivilege	1532	powershell.exe
Token: SeSystemtimePrivilege	1532	powershell.exe
Token: SeProfSingleProcessPrivilege	1532	powershell.exe
Token: SeIncBasePriorityPrivilege	1532	powershell.exe
Token: SeCreatePagefilePrivilege	1532	powershell.exe
Token: SeBackupPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeSystemEnvironmentPrivilege	1532	powershell.exe
Token: SeRemoteShutdownPrivilege	1532	powershell.exe
Token: SeUndockPrivilege	1532	powershell.exe
Token: SeManageVolumePrivilege	1532	powershell.exe
Token: 33	1532	powershell.exe
Token: 34	1532	powershell.exe
Token: 35	1532	powershell.exe
Token: 36	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	powershell.exe
Token: SeSecurityPrivilege	1532	powershell.exe
Token: SeTakeOwnershipPrivilege	1532	powershell.exe
Token: SeLoadDriverPrivilege	1532	powershell.exe
Token: SeSystemProfilePrivilege	1532	powershell.exe
Token: SeSystemtimePrivilege	1532	powershell.exe
Token: SeProfSingleProcessPrivilege	1532	powershell.exe
Token: SeIncBasePriorityPrivilege	1532	powershell.exe
Token: SeCreatePagefilePrivilege	1532	powershell.exe
Token: SeBackupPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	1532	powershell.exe
Token: SeShutdownPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeSystemEnvironmentPrivilege	1532	powershell.exe
Token: SeRemoteShutdownPrivilege	1532	powershell.exe
Token: SeUndockPrivilege	1532	powershell.exe
Token: SeManageVolumePrivilege	1532	powershell.exe
Token: 33	1532	powershell.exe
Token: 34	1532	powershell.exe
Token: 35	1532	powershell.exe
Token: 36	1532	powershell.exe
Token: SeSecurityPrivilege	4524	client32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2768	7zG.exe
4524	client32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1876	MicrosoftEdge.exe
3392	MicrosoftEdgeCP.exe
5084	MicrosoftEdgeCP.exe
3392	MicrosoftEdgeCP.exe
4744	MicrosoftEdge.exe
4740	MicrosoftEdgeCP.exe
4740	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 644	3392	MicrosoftEdgeCP.exe	77
PID 3392 wrote to memory of 644	3392	MicrosoftEdgeCP.exe	77
PID 3392 wrote to memory of 644	3392	MicrosoftEdgeCP.exe	77
PID 3392 wrote to memory of 2888	3392	MicrosoftEdgeCP.exe	78
PID 3392 wrote to memory of 2888	3392	MicrosoftEdgeCP.exe	78
PID 3392 wrote to memory of 2888	3392	MicrosoftEdgeCP.exe	78
PID 2000 wrote to memory of 1532	2000	powershell.exe	86
PID 2000 wrote to memory of 1532	2000	powershell.exe	86
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 4740 wrote to memory of 4532	4740	MicrosoftEdgeCP.exe	91
PID 1532 wrote to memory of 4524	1532	powershell.exe	93
PID 1532 wrote to memory of 4524	1532	powershell.exe	93
PID 1532 wrote to memory of 4524	1532	powershell.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://eprst251.boo/files/Asana.msix"
1⤵
PID:1104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
PID:2704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2640

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Asana\" -spe -an -ai#7zMap20439:68:7zEvent32655
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\Asana\usJzY.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\ProgramData\netsupport\client\client32.exe
    "C:\ProgramData\netsupport\client\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4600

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netsupport\client\NSM.LIC

Filesize
259B

MD5
1dc87146379e5e3f85fd23b25889ae2a

SHA1
b750c56c757ad430c9421803649acf9acd15a860

SHA256
f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2

SHA512
7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

Download Submit
C:\ProgramData\netsupport\client\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\ProgramData\netsupport\client\client32.exe

Filesize
54KB

MD5
9497aece91e1ccc495ca26ae284600b9

SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da

SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89

SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

Download Submit
C:\ProgramData\netsupport\client\client32.ini

Filesize
672B

MD5
b195a5ef0d805dd2acfb38e5df63b63f

SHA1
311e0113acba508a1ed3c64d42fd7a0f0e3af7ce

SHA256
2ac94a594e8583574f9a16dca49b68947e5caeac3afc6b35f59f5b8a2a819d94

SHA512
dc797da376790054c6c0de33b1bcefc4e1e3db8ff87026974f2ea4dfc555d10ff588031b86580d309d77fe9001e7d5c17955f83aab40d221da42cb7c3ccc5be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQ5JVXBW\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B79YV4MX\gordita-medium[1].woff

Filesize
54KB

MD5
9c48b3d9849f9b4ecb09a090546c788a

SHA1
31cacbd39c93248b7b33a63fdf36d1722db236fa

SHA256
221cf949429418da50502eea454f043d1c98585604970d0137b0100b760d6c93

SHA512
ba12864f88e04167f0d086b3d9c17c6cfc5368f4ed30e43f02b9e9059d1136ae9c3c9d013220192ffc6739c73d40a64c8004db707ee65654b6456665a01b3939

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B79YV4MX\gordita-regular-italic[1].woff

Filesize
58KB

MD5
1049d7ee42e7ae63a515c487985e7a23

SHA1
e459caf31445773875da313fffb0767f5f2d2adb

SHA256
5acd230b206a16621045fab34f3c8fe445174ee15d9eba235d19428061e9ae0e

SHA512
8c94baecec65fde4e421a669ca374288b508beeea1ef2845ab062e1c4fefb473e794d9e23756e725c5807626e628a282d65b31bd8ebce28b7a1b50b8400fd2e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IP0IIMCI\analytics[1].js

Filesize
51KB

MD5
575b5480531da4d14e7453e2016fe0bc

SHA1
e5c5f3134fe29e60b591c87ea85951f0aea36ee1

SHA256
de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

SHA512
174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IP0IIMCI\gordita-light[1].woff

Filesize
55KB

MD5
10701c3270ecd9e0f375feac5601b45a

SHA1
9255a117660a95d64e98cb66065c60feb82bcd9a

SHA256
5cda22539ff38b1aa3dbfe875eee07ad5d3a8fcc1af081590a3cb3bc8871f6ee

SHA512
4675cac3a90af8da0aaaea1cec5678c97b7e049f21b3610d9910b51968d3792286bc223a21a42e92bd5199ae795a8ab844fd514ddc8b2a60c88fce7cde7ff185

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IP0IIMCI\gordita-regular[1].woff

Filesize
55KB

MD5
c3134a2479eabcc47058ff04ed1a8fd4

SHA1
10baa5250e802d00f08d92fe937a6d795f08f899

SHA256
55f651f5fe8b3f8748994899a0245fc404ed43705e9c45aeb47f8fc8c36b189f

SHA512
db15feade6f50dfcffb59d252dd4e7786df8e561f4c1b2a6e3c933fe8d0566fd24c7b8946e7520fe18ab481657c78ab85034df6d447454eb605bd2817a8f033f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OBSNECGT\Asana[1].zip

Filesize
1.0MB

MD5
c50aa8af85636796521e490b2e0b34dd

SHA1
208e615fd62249af697856734fb0e80bb1f58739

SHA256
bdd89826ab8d3e3c03833b1ea8e4b0a34c80f13bfa5882e5b82f896cec41d141

SHA512
0f8dd1ba05e92238723d4f8ed096d6b6bdb55ee913b9834e37d3fdd294c6f1613f84c64bd492ef25f8ade4763f613423517202480a5da65116ffc83034e5a93d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XE1E4J7Q\collect[1].txt

Filesize
65B

MD5
83a02fe42f8c2198e7c608aff363aa49

SHA1
7b20ae1014450492cc708e3c9dc7522b05c2effd

SHA256
e64954dc34e12c7190cc2338a54b07644ff0f102aa71cc7209bcbb49c3009f7c

SHA512
cd381a8c725c892e9a68d713254a31ea9ed25a39b212a5dc52d4ba2655f38afddb32519f03360f32a59d8e7701af6c2ad0030a6aa760c3de87c75063f5b65f54

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\MAMINQN1\asana[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XVE1R4VQ\asana-logo-favicon[1].ico

Filesize
40KB

MD5
03789a9caf871a2c491fcf788fb9519d

SHA1
7ca722c5ac96374284efc40db654de76b4f1c7ef

SHA256
a42ae227f92cc034bed8015af2bb5664327c3ef4c207e3dc6cd06e8642845e77

SHA512
aa6e83b00db93d851b6a06f6192f1a95138071b61360cc31c03ecf36623c0915ff63d819ee2b802eea3184b04a8e413e823fc1b22d5637b5aab4636cfedd6e1a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
36ee15ee5a7e248ba911cb7fbbe3faf6

SHA1
a813e7fcd78e895c5cf6c6402463f06d508bc1ad

SHA256
d92d13a766fbeb50577418b1b4374428ce85bde19ec116bfe60fd46cc5372fb7

SHA512
89b5a8b2b23fc672f008abf5a917a81f8c94005cf4835815943cf45a4ba30cdbfbe5e6341aed2264c4261897b4c42bd1cae5c4efc6776ca22e177da08880e007

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFC436C48D7DA9ED69.TMP

Filesize
24KB

MD5
d3cdb7663712ddb6ef5056c72fe69e86

SHA1
f08bf69934fb2b9ca0aba287c96abe145a69366c

SHA256
3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15

SHA512
c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OBSNECGT\Asana[1].zip

Filesize
79KB

MD5
bd192fba458d4efa5b8bdc268f00be69

SHA1
b1c79b81ed1b1241caa96e76a67d9aa4a168a2cf

SHA256
ce5ae28f39f1b140092caa5e6f816a3126a4b84dc1a4305789f2af4195625e5c

SHA512
7112f1ee1aa06cb8574ac1ff9e8149ae26caf451224a320c3161ac0af81528558b264e84bb572ae035174abbd90613b8c9bf54257e4e9fa1fa95628404b3df0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
efae2c675d58c16885489c304c0a6f6f

SHA1
f4d4cfd7c295d6f8791579b387bc5bb1c4454a63

SHA256
5c6221bb448fd1256ff7ba74e91be488a6a9af560d15d05f5c81885ac71ea238

SHA512
04cec6d2d68d069bde69b435fa68f0cb339659fca10a6b69a5b3a99a3d3b9809b06fd02410f2617b51f10e7844c3ee16c1d0f20b7e1b60f3631658cd53da09e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
45a116d2a76d4232c94dd578d77911e2

SHA1
a6837e201250f6970b77fa10da7a1cfc0327399e

SHA256
b03ea2f25cbfe9c33964edcaf94260147464531202ff4e9641cedd52e24d5083

SHA512
f8606a0c37d967ecba23f4cfb7a6c3b4d134c1dc4678a307818a96dafe4d258876e08f6b4bce9a68bfecfa286c20cb5ba06299d7b38d1dcefa324c9a0f06e99e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
55a80617f7fbfff1e73c63f2fc2dfe25

SHA1
5df041aae91137d095ac7f76fdd2cbeeb148f320

SHA256
22163368546d9eeb8b2dd4cc948b03bdaf4188b91758e1f0683d539240f747de

SHA512
b74a85034d76a1217c945fa96bbe2475d3ee0897b084053cc9589168bcc193223729ed8066942952a18658f1f55f752b58930d459caa1cb4c67c4a486128379b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
046b46584c4592ae9d2d8837ba492af0

SHA1
72ef8100e7b7d4365eb4e95e2bf084edc6064f0f

SHA256
545e67f1718a302d8108e49ad50fc887b6fd4d6e8f9c4feebd6d859aac5e1a44

SHA512
05bb6acb5ec5e08904bf204c5a7705302266e3a683e1ca3d117ed3adf20bab8964678bec50df0b4b445f4af6429a02710b3a9a8bed0f9d1f6e20c7f11b19ac06

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
42d02d1346d68a27ac49966f6645683f

SHA1
8d99a509b31c2bf11d016e39ab53939e33020fe0

SHA256
3bfa773aabcbf09cc5b04f625cdc9f451d68fdd6a6a88dd8a7a9212112f41f97

SHA512
0fc6fcfa2b478339aa59aecdb6ae851ab6c047c00296b39a6019b08e74f650c22dd4c80470afc0fb23d6b7e87c451507faee18191b5a8cfcc0ee21ee443d7336

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{FCDFF5C2-04F7-4FC1-9B82-4053316D29C2}.dat

Filesize
5KB

MD5
132badb5e91838ebfaa6677dae3d30fb

SHA1
004d03a1c5d71e1adb6f4683b610e78d92d4693e

SHA256
6648ff39e915ac56f6751e00bca3e808cc215c416f8c3bdcfe4d5def2fb7e61b

SHA512
8895774fcc7c48b783903d1ad9d70330a492ac68d488c5922f93058d28d880e30a41ef13f959b29cd21dcd2d3c028415a78355b98e7c617050ea4eb9532f8b42

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{B97C0905-1744-4FD0-B6D9-E02DCDC0EF76}.dat

Filesize
3KB

MD5
e8a1f38ec05249b83099e87acc89fe81

SHA1
faaab15d8efdf2a68df31dca3b80a1a8a9e9f716

SHA256
6a12e1bc9b1643de299f1cbf317c6eda618792fc638c8f08436cf21341316513

SHA512
3c1ef368f63c88b5878a3f028bd99f402f94af528ae043423a90de7a8fd68f17861cfae8afa4cf63bf910f4e28a007aa2e354e6aea6ea204e7a8bee18321d900

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{FA501EC6-A19A-4A90-B0F7-6C460FA6E77D}.dat

Filesize
3KB

MD5
5ed73c01d1c4c3eda4c1ccce31093dab

SHA1
6255424bea50dc29e9642394c9e387a77b46b65f

SHA256
2651b27b2d74c475fe53b2a34cd508bcec88e4e43413e8b124cbddd253df70a5

SHA512
7d882d036c118a52a3d894e3d347363fa34ac51b89008e01ef9e23c727011a8859f362ad6187e655342d1d749ab1389428c5c243a6498a874af7d7c72c2a3890

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ladib3.rb1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\Asana\usJzY.ps1

Filesize
6KB

MD5
8ede71440d02f3d250a3ac50eef4280f

SHA1
b97e6ebd28ca3cb9e45ea6ecd8e2b2a9323c5bc6

SHA256
5e9362dba53021ab588e396e1cb28100718471f07c5dd5cafa6bf5728f014b97

SHA512
77f23d7ae4aeab44048f72e34b45f8a0e7b2872711319e028fa685812fa63905f3dbd87daa3950151ac41805104a2e65b9dd6371b270beb0952f6eada559772b

Download Submit
\ProgramData\netsupport\client\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
\ProgramData\netsupport\client\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
\ProgramData\netsupport\client\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\ProgramData\netsupport\client\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/644-59-0x000002B863500000-0x000002B863600000-memory.dmp

Filesize
1024KB

Download
memory/644-62-0x000002B8632F0000-0x000002B8632F2000-memory.dmp

Filesize
8KB

Download
memory/644-67-0x000002B8737E0000-0x000002B8737E2000-memory.dmp

Filesize
8KB

Download
memory/644-65-0x000002B873720000-0x000002B873722000-memory.dmp

Filesize
8KB

Download
memory/1532-1655-0x0000021B7F010000-0x0000021B7F032000-memory.dmp

Filesize
136KB

Download
memory/1532-1636-0x0000021B7F010000-0x0000021B7F03A000-memory.dmp

Filesize
168KB

Download
memory/1532-1680-0x0000021B7F000000-0x0000021B7F012000-memory.dmp

Filesize
72KB

Download
memory/1532-1693-0x0000021B7EFE0000-0x0000021B7EFEA000-memory.dmp

Filesize
40KB

Download
memory/1876-118-0x0000022ECB290000-0x0000022ECB291000-memory.dmp

Filesize
4KB

Download
memory/1876-122-0x0000022EC97B0000-0x0000022EC97B1000-memory.dmp

Filesize
4KB

Download
memory/1876-17-0x0000022ECC230000-0x0000022ECC240000-memory.dmp

Filesize
64KB

Download
memory/1876-115-0x0000022ECB2F0000-0x0000022ECB2F2000-memory.dmp

Filesize
8KB

Download
memory/1876-70-0x0000022ED3000000-0x0000022ED3001000-memory.dmp

Filesize
4KB

Download
memory/1876-35-0x0000022EC97E0000-0x0000022EC97E2000-memory.dmp

Filesize
8KB

Download
memory/1876-71-0x0000022ED3010000-0x0000022ED3011000-memory.dmp

Filesize
4KB

Download
memory/1876-0-0x0000022ECC120000-0x0000022ECC130000-memory.dmp

Filesize
64KB

Download
memory/2000-171-0x0000020EBFBD0000-0x0000020EBFBF2000-memory.dmp

Filesize
136KB

Download
memory/2000-195-0x0000020ED8C80000-0x0000020ED8E88000-memory.dmp

Filesize
2.0MB

Download
memory/2000-174-0x0000020ED86F0000-0x0000020ED8766000-memory.dmp

Filesize
472KB

Download
memory/2000-194-0x0000020ED88F0000-0x0000020ED8A66000-memory.dmp

Filesize
1.5MB

Download
memory/2888-79-0x000001EEAF000000-0x000001EEAF100000-memory.dmp

Filesize
1024KB

Download
memory/5084-44-0x0000020BAD4C0000-0x0000020BAD5C0000-memory.dmp

Filesize
1024KB

Download
memory/5084-42-0x0000020BAD4C0000-0x0000020BAD5C0000-memory.dmp

Filesize
1024KB

Download