hxxps://eprst251[.]boo/files/Asana[.]msix

Analysis

max time kernel
89s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eprst251.boo/files/Asana.msix

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://asana.com/

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
36	4648	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
20	api.ipify.org

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000_Classes\Local Settings\MuiCache	AppInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Asana.msix:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
4468	msedge.exe
4468	msedge.exe
4136	identity_helper.exe
4136	identity_helper.exe
2744	msedge.exe
2744	msedge.exe
2348	msedge.exe
2348	msedge.exe
2064	powershell.exe
2064	powershell.exe
4648	powershell.exe
4648	powershell.exe
4544	msedge.exe
4544	msedge.exe
3536	msedge.exe
3536	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
3536	msedge.exe
3536	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1680	7zG.exe
Token: 35	1680	7zG.exe
Token: SeSecurityPrivilege	1680	7zG.exe
Token: SeSecurityPrivilege	1680	7zG.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
1680	7zG.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
4468	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe
3536	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	AppInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2292	4468	msedge.exe	78
PID 4468 wrote to memory of 2292	4468	msedge.exe	78
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 4600	4468	msedge.exe	79
PID 4468 wrote to memory of 2852	4468	msedge.exe	80
PID 4468 wrote to memory of 2852	4468	msedge.exe	80
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81
PID 4468 wrote to memory of 3912	4468	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://eprst251.boo/files/Asana.msix
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffac0723cb8,0x7ffac0723cc8,0x7ffac0723cd8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6150036005279261417,14591417241477802546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2912

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Asana\" -spe -an -ai#7zMap3051:70:7zEvent6366
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\Asana\usJzY.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://asana.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac0723cb8,0x7ffac0723cc8,0x7ffac0723cd8
    3⤵
    PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4214152697655970532,10602961494823244378,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
    3⤵
    PID:1940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4214152697655970532,10602961494823244378,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4214152697655970532,10602961494823244378,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
    3⤵
    PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4214152697655970532,10602961494823244378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4214152697655970532,10602961494823244378,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:3860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8d5e555f6429eb64461265a024abf016

SHA1
05a5dca6408d473d82fe45ebc8e4843653ad55af

SHA256
0344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1

SHA512
be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a94c2ae8213f1fc17133c2d20085654

SHA1
03581be1297aabc3ce8f30f04eea8fdfb4fc8904

SHA256
f1786e17af7df6fe09d12535374e8ec2f183c15aa50b5fcf3f8e0f52cc5cde38

SHA512
d269b8afd2dc4c5cb8b8d0b6fa67deb7a244d8102d76b83ed7dd7228e19a9b6dde6b589f86e9ad063e2ffe1e86bd2516c71851cdfc72f526266cf54f8cb60965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5710c39b3d1cd6dd0e5d30fbe1146d6

SHA1
bf018f8a3e87605bfeca89d5a71776bfc8de0b47

SHA256
770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f

SHA512
0f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
da62eff73180cf69fae62d238c208d41

SHA1
8f3756ccd48098c3ffea843ca6b38de3177fde48

SHA256
e403795e680c4bae54261b348f3af02c8dd965c962943cfaa421a1e4ffb82fb9

SHA512
ed73d1bb05ab23aeed400dae9f2270066026f0ce7a227f5cddeecd3af4feed1111417684a85c878a83d82e017bebae67e368b6d5f096d6420968ae797b0d9c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
95be692b6e09ba5561b99d54a1bb135f

SHA1
08d1c8e515d1f46fb4da0c102a45bd4045cf5bb5

SHA256
1b9c7ee05f80e1a41c6d9d078122f9f61fdd977f708cdfb87bb09ae2f0313beb

SHA512
d8e2aa3efe2d064f974380d40f1af5a5b0598e6d674c5acf79ff0e9d06fdf6a65d53cecbf775c119bdb2dfdb480471d592a175c5bb3228b166ad5b8623143edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
a0aed83aa6800f8afb1c8867d7f98cf9

SHA1
84b05781cbb0c1a7cd5709da93586f9c57672af3

SHA256
d1a2458c27df9d8007720ad42af7fc921dd27532359cf2571fc5634a54924c15

SHA512
232f40a41df1dd3dbeeb7d9f22d646b94f3f40f9d47ce37c78cab1dc6adb0b08839b9ae26ce76effae4eb3702cd98f8805b8f8fe5a10a69d6a91a440946ca731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c10b9fd6e1967518db5196e7009bfbc6

SHA1
e9fbcb94a2e183e61b11245073a8b881e531e315

SHA256
b99fe8b42f506536ce7895f0e2c02db14c7158be352c7b40cc6cab132f8a5a1e

SHA512
bbe088ed255a3caba0fd46ef0e1a780e763c07b887c92bb05d6c00824894dd831a7a636d061d82db60eb2f7b2f34e60a18e4b50646a2bcf346d49a775fb090fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
e60e0816acbd572b12567e036ab0ffd2

SHA1
3f7a1fd1758a4a1cb1ae6484f2016bd2266a116d

SHA256
abc1349c0e93fdee9cec2aec1d1e76e7309f96cafad761f92fa111f73aa54a70

SHA512
9f3c001f856414726feeb27124368270fb3856f2939fdbc0e5c330b403da13b0ed1f4d6f9a5c9cdc605c3cf90bcce3d4db68e318872e8ee935f36f20146becd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
da16a1bb9c42ad689de1a96ba194a6b3

SHA1
6bbb6a4ec969643c8b7c0b1979d4e248403820da

SHA256
0ef4e7f604db8a7ef30ef4752425402e90393d2b26a8f4ea5e296b18126507ba

SHA512
5009fc4a173a6b7066a18d45198e9064a6356f57f5b7a1377e642603d7bcf4d6519a1f15d2437b3e1c53977c1767c62edd7dc7a8bc357c9d125be1bc18a5dad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
b97bec1cc4845bbd3c015b3179380e76

SHA1
d7f30780e5758be53f6876614f96d24eaefe898a

SHA256
b00f7e0f512273ec6a9900749d48a098e870f250bdfda6075114b993be56d911

SHA512
e1a6c378c68d18eb3093f0a698bb520f37e89e3c93f694702caa24a050aea22e08828b192a998a0dec00d1105a9049f5c66084b649fbfaa369963056c0ef0faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
321909d2adc9c95d2181a6f115f95d50

SHA1
5fbe07a153578ac2a771fc5e9afac2d8a6759a91

SHA256
2d1549ea15fb70e6adeb564a5a7d3102fca7c1995980c209b2ccbfd8d7d47395

SHA512
6184580db48a6230647250562830524fcbb13a08de5b62a34e5c4ecbd8feed540910a36431b4156b67c1582e7c6d11fd360fa60aafa5580f0459250882548006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
798B

MD5
726bca0b96dade85a7f7c186d3ef8880

SHA1
798cb576b40c2894227b770df7fdddbcd93a681a

SHA256
2610eced6b502c2cf9b06b409db75845cf306e78d7613da1586abbb1fffea88b

SHA512
52bffa70c2152a882da8784e4c58c8ccdb83d02b40c52fc70e9b493970b5c362fdd95edc3be80bba329675a4832eb154fb92764096603cff985c20d07b74f384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4a5367523b1806276285bbc505013bbb

SHA1
41f9ba03c59b0f3ee83c6cf795105b834e4e246d

SHA256
9a33ffc49395d4a87daa9b243cacc3c51dbee0254c92bb613cdc1f5782900d30

SHA512
cfb633e8accc08514ae1f188dea65fd0edfb97f04c40c897ccf5c9f54fe56d45b24df9159c054cbd2612b0de0f668dcf55db1fcbe6429225ce05ed536a314a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e7a787d9e8daa124857bcd8c7e6a3cf

SHA1
dec407e1e52fd89373ab08c326f8ab2eb6fec252

SHA256
f7173fb372b1219e7a3051168ae7e39fa71aa53738d5304abfd18bd0b7dd4de3

SHA512
4bc4bd4ea989fce6457b3f3b4b043380e0160dfc27c0bed86e7e4ff381c8a2771601207ad2042079c3b185edfeeab1484f0997c17631595f961385d1d67f77b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9bd057edcec32ba969605d136e3063f

SHA1
cfc5f8a288ba23ee059a7c725a11c932f269006a

SHA256
9956cd13d844d7f48411bffcc5dc45efffe7e3646c00576e777435d7a2aefa07

SHA512
7148980128a6627ae1681189cc8644cf5f83b5401250cebf6d67deaa8ee887f273dacc8b01508b63bfa65f9dceb7666abe46cae85b16ea76b5ab1b1c80c23434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35bad481893dc70f04b775f25d9439f7

SHA1
c4157acb85a4b87b1e407fe5887d12a8c9a2f6b9

SHA256
09671da31fe6b4e4fe2d796b4b7475a66172a20a3e71b3b4ee91fba164d59bcf

SHA512
7f23dbbb7dede1f088c315690fcbd4a745b1a2d22460ff2562937c19f202d8026c68a89b3d7a903cc862f6d4a7a25f2794ec156e4c522ff025c330e4ed067df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60baa57bafb2bb36f0f51c526b3f0d5a

SHA1
5cac62ce87634bca99105b0d7c66b17a29b09999

SHA256
eef3c7967f3bcfdad0f0d5334b914a3c3ae9f9cebc5057757f55894cbe831ae4

SHA512
ed3ca8fc45dedfc6ec8e9c4748e2b7de237cbb2c281e242d13b801d8ff2df38335abb9e6daf89211a9597a3bd9eaad7097fb93c3ed4f172045d01d13f4e64e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
226741ce930e10b1469124515d9f8dd4

SHA1
2b8abcd82cd4f0cba4d55dcd6bae95da0cfb98df

SHA256
2d499a0535e9ad789a1c2564c46e7fcb8764a21a3693c8dd5cec1a9facc983cf

SHA512
3b43a3feb235016eb6293caba5feb9e61419c0c247178d12e5736a21070683eb4fa6ac9bd13534195fb41b49b73decbcbe027e0d69d31879e4b1df9cb60915d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13359066546087834

Filesize
461B

MD5
ba631cc2bb811966e4f9307f1868ae0e

SHA1
c90cb471de12601c57493f328dc8fe842f5596f9

SHA256
cc4348d3b0f4848045aa30083135c09999abf2bbe636deb53ec7ae0e963c6a3e

SHA512
f48273325144f696864886e5735bdb1ef2534945a3a1adeb7453352b1acb905f3b920249f8d62cf358cc3ebd8b4de21868a816240fc8c6bf10c5d755f5674339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13359066546259834

Filesize
717B

MD5
a187754474bb5512ee3d75f33f3db680

SHA1
f68d08ce7bab47c45df2a21abc756c149af8092c

SHA256
018351f152ca2fea089d1ba3d9973ba562362c4d48e21de3a8ebbeea15208e6b

SHA512
4f4e07b3874b23e5b3cdd8928c6ec4922206dca60291d35c19f6a77f949c21cd8e76355df97ff72e35e6c93aea1549909a156e0557b4bee6947120e72eaec4a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
9c311ff2cfe0f323751eda610f2c7dc2

SHA1
21af6adbd637146e7723cc4321d37ef53684e8da

SHA256
72c57b26b6d6760996df904bd814e4446afb4cfb298e056102d343e952bd3b6f

SHA512
d65315bfc88780cfcc7d5b695d80d513bf1c3dc9e065ae56ebc5ddaf2132c9e42a67d6dd657b3c4891f72a4f62ca629be6d873dc0bceb8e5ac019df3d5c1dab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
1f93059597dd5dbef7c3fa48a3335655

SHA1
7afc1dc549c27c1062786d6c1e24f67ad9012c85

SHA256
8aad52d6454c37df25e4fff8256941285680312854d80d47e1cfbb6e90b3a966

SHA512
24ed9437b93db192855e337516638116b1a1abff0892f34b8c2cbb29237d705f9eb532d7995c2fcfcb6366c020dcb75abf3f2b57b3f275c530d2031d00af55f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
b52e970a645d7e1b78bd99b3e996547c

SHA1
03b519f861791d1d614f676473db34ebac3a5304

SHA256
901eda8554b042843725cb389d4e13bf2d6276c65ff9bdceaf67d81f1d21c891

SHA512
50ee64eb55f3f9f6217a45dbb30ebb6ff3fc9829e08d850ac61b8eae72efda592394f5284090a1fd423481c1b22c787b04a179f60fff23a25340909f97c84ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
5KB

MD5
4a13a568a86cc0fa973e4c912f92e15f

SHA1
f0aea4eaeafb741d4ec44fc2adf710d946e1eb2d

SHA256
4a308b6c1275efafb0f6e74ed27fe46770fb05e59f3bc509ad86a8a568cc4e9d

SHA512
ffa0b4feca383f131d73bf810690c9998fb5c50c1e8475325e896be76880d18683dbf2c3f0c2c70587e1830a0b9be9f8f3d330e3d79960eec58d01f9d1ee1af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
668fdfd5c7429ec3d470677e4348bfe4

SHA1
2f5961b50662b959e8ba55740ddf9a410b53e8ad

SHA256
663fec804aa8a9aee5e1566855945875fddba8bf7eafa9774932a6fb4a1ca581

SHA512
291f678941754b6458cf795d61c10fd31b14790b3590d93dad092e1fde9fe14b3383bd7b0f56cf7a5888ff0cec0df8632fa107e9c700e239fd7713338b68b3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
c0a4aec65e924811b5267ea9dbb7e925

SHA1
dfaddc1e893017d9c67c4ec401959a2aa1afde60

SHA256
ec9507f38a78dde367e6b65592bbb744b0d08549f442e68c14e8c4ec7da697eb

SHA512
79ef023f8270c2d86ef76c632bd93f55f350bb643de015a8c4e8de2524d3a94e91072b2e4a9f5d62b644884e0eae0064a1fbed589710c6c3a1be43b28a3f1c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
88d5ef6251916aaf23c48ba2686d5545

SHA1
ad370069658924682d8bdd5d00c8dc9b5077893f

SHA256
68f276765f60a0dbddafd0a0e8180cf2e4a9b5dcffed0e3e2c406879e3e00fc7

SHA512
76f817d2887a6ce3c39cbe415aaabc8e2b8c359c29b68260d4bcf60d1e03374f6c2a72457828aa92e8706799608a12766bfba82e614ca7e0bdba19deb28cbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
9bc759459daf1f3fae43dc4998f63329

SHA1
580a960b004c7635c5e844e5cb15725580e874bf

SHA256
9eec7bf7ba035746147a5c51f4c8b613f49468cd5e54c796f255df16b568ac12

SHA512
e7ebbf78908c25c0c1db28e151c3d9df449c079668eaffd28fd61e689757d0a81ccf7cb1e0e06028fa8354d0444b5846dc275cd93a450f9b9c669df89e623e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
9086aab8ba7bfef4c13a8b9c1b532d5a

SHA1
6eeb963e954bacc797e1e67554fa87d909b3de39

SHA256
f8c49baaab7cef96f4af0a42f2294e823ebd76df1372698f0966fb7568db74f9

SHA512
942b450d241c0f8e97ae85d9095ad1676b20d29a5dc598c1f199c5ded3c457151b1a5ac88104ad513f798bd556d4046a88d7e1f685832725f1e894ed036a0d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
b5481353ced18695978f5b5947316b86

SHA1
d7a31f6023d3021439e3fcf3007312638afe38d9

SHA256
8ac4c8de1e28d8cb04e39bd2abf5ab6a7fa5491e8720c85d27f7fc85c06eb01e

SHA512
2b40c0db66fb9a64deb10ac5b9b68021fb12c8d37d9dc0f6c93d01c88536d93487551df351a490c7f050e1b3d61ee7a014ea63fa54c41dfa47debf03c2c13db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2aca080cb481e601d289d00a23fedd2c

SHA1
46f12c0433b6cdb792da70ecf840bf085dabda6d

SHA256
65d26ae7a86f6afd67ab10181b32ae72ebca1be2cdf798264d9f7bd74e406485

SHA512
867524bb8d06238f5a342cb6adcf07c6771d231e5809cd3bcba52c65af2ff41b695adf8f369cfb063fbb7f97be57997745a86dac157cb1cedb5a906bf9f893d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
605aa5d1857d46be08d45d3437f4fb9d

SHA1
9e79708fd3cef85354eecfd4fad91b5a95b376a2

SHA256
b5536c684710e26560dcdfbbb896f15089a01909a442007246c7fdf01dfff218

SHA512
5dfc8e455e717680efc6ca5559a97c010ab3287765e983d720b68fc627d650e5bb619888e414d2d4fdeb19af89a560de55618d2b1ca34a333d7b05051c2477b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f363619a4c4488d94a9c78865b085567

SHA1
ca5a07cc5470dfaaf9d76e65af0306f678a7e4dd

SHA256
e98b8f2e4d5e6a6174d6c512356d94cc7a4e1772d20b4bd635892c01e8661785

SHA512
e4de5564a45ace0502e15a6b840e229c14329531454af681a0ecdd62d515128fec17b8b72e1be58982f5e2fa049d4a1400907fe55146bbb454198757f7492ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b3b00d6de446f75713541eb66d4ed861

SHA1
9f89c1dfa77485424cc8e5adf47b7775664ab253

SHA256
d47e3c938236a3822bd8ae4ff98814479e91c63ee38a5014ae0bb153c03ea8da

SHA512
72a3cd2a24fe0635bf71d1299738beace6505a312fa9033016c5b3200e93dadd8f115b3b3640d207e603f63ef8f99e81f1943a6bc69fe38d7ba476d0391c6f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
3c4d01c50d8d8350b6c522daec677398

SHA1
1d59c1625300aa90e4c6434dbaabc7f4a7d2f441

SHA256
e8171f72e7e78c1ce6a5c6e14afaeb2e08c9328b6d1c536d8452a223d47740ff

SHA512
97b66a7d44eb85b482f0e61f04216e1e67a2514500c515f7f96bfa92e9545cbdb6b9b2111e02ec34837edc42cc61355d20c243978338abe7f98c737b553cbe59

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
98d71d9465a5635ebebff34caff33081

SHA1
a6d298d65ba7b18ec79c0598dc485ffd81d60720

SHA256
c9e921b9c4eb83ca9af768d8b0cc3076463f3cd9ede7039270d94511f448975e

SHA512
80f7c7f8f6de0302c0ef72d864c5c90afcc5c5edebcd089fd9d94bf50f32e6c33941d65bf5b238183eb17db469d917779d3a31b79716a90a670f75b5b5b48b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2p4c324.n3l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Asana\usJzY.ps1

Filesize
6KB

MD5
8ede71440d02f3d250a3ac50eef4280f

SHA1
b97e6ebd28ca3cb9e45ea6ecd8e2b2a9323c5bc6

SHA256
5e9362dba53021ab588e396e1cb28100718471f07c5dd5cafa6bf5728f014b97

SHA512
77f23d7ae4aeab44048f72e34b45f8a0e7b2872711319e028fa685812fa63905f3dbd87daa3950151ac41805104a2e65b9dd6371b270beb0952f6eada559772b

Download Submit
C:\Users\Admin\Downloads\Asana.msix:Zone.Identifier

Filesize
73B

MD5
d12b3c9a2e1c1018b70bb8d4c4809bb4

SHA1
513029b8396003a12e323a24f686917c742ac429

SHA256
890b02310faf3ae04af3ccd69b16b3326f9fb78a813c84ce239180d10d5db73e

SHA512
77b5abb4d97bd7cfe6829560a920d84b8511e4c9912c6c10c513bd811b7f31a8ce363995b00584d4bf3b4b18c4740b7b8bee99271ca530a6a2a13681d69d7352

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 910355.crdownload

Filesize
1.0MB

MD5
c50aa8af85636796521e490b2e0b34dd

SHA1
208e615fd62249af697856734fb0e80bb1f58739

SHA256
bdd89826ab8d3e3c03833b1ea8e4b0a34c80f13bfa5882e5b82f896cec41d141

SHA512
0f8dd1ba05e92238723d4f8ed096d6b6bdb55ee913b9834e37d3fdd294c6f1613f84c64bd492ef25f8ade4763f613423517202480a5da65116ffc83034e5a93d

Download Submit
memory/2064-222-0x0000023A7F3A0000-0x0000023A7F3C2000-memory.dmp

Filesize
136KB

Download
memory/2064-227-0x0000023A7F930000-0x0000023A7FAA6000-memory.dmp

Filesize
1.5MB

Download
memory/2064-228-0x0000023A7FCC0000-0x0000023A7FECA000-memory.dmp

Filesize
2.0MB

Download