hxxps://www[.]zmodeler3[.]com/

Analysis

max time kernel
1800s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.zmodeler3.com/

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
5996	ZModeler3.exe
5996	ZModeler3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\ = ".z3d scene"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open\command	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\DefaultIcon	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\zmodeler3_x64\\ZModeler3.exe, 1"	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell	ZModeler3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZModeler3.scene\shell\open\command\ = "C:\\Users\\Admin\\Downloads\\zmodeler3_x64\\ZModeler3.exe \"%1\""	ZModeler3.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z3d	ZModeler3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z3d\ = "ZModeler3.scene"	ZModeler3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4804	msedge.exe
4804	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe
3564	msedge.exe
3564	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5932	msedge.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeSystemEnvironmentPrivilege	5996	ZModeler3.exe
Token: SeDebugPrivilege	5364	taskmgr.exe
Token: SeSystemProfilePrivilege	5364	taskmgr.exe
Token: SeCreateGlobalPrivilege	5364	taskmgr.exe
Token: 33	5364	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5364	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
5364	taskmgr.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5996	ZModeler3.exe
5996	ZModeler3.exe
5996	ZModeler3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4556	4804	msedge.exe	83
PID 4804 wrote to memory of 4556	4804	msedge.exe	83
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4292	4804	msedge.exe	84
PID 4804 wrote to memory of 4172	4804	msedge.exe	85
PID 4804 wrote to memory of 4172	4804	msedge.exe	85
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86
PID 4804 wrote to memory of 2952	4804	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.zmodeler3.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb19cc46f8,0x7ffb19cc4708,0x7ffb19cc4718
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,1665847682831234445,15050621419434188008,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1596 /prefetch:8
  2⤵
  PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5488

C:\Users\Admin\Downloads\zmodeler3_x64\ZModeler3.exe
"C:\Users\Admin\Downloads\zmodeler3_x64\ZModeler3.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5996
- C:\Users\Admin\Downloads\zmodeler3_x64\zmStoneGuard.exe
  "C:\Users\Admin\Downloads\zmodeler3_x64\zmStoneGuard.exe" /run:ia 5996
  2⤵
  PID:6080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
44KB

MD5
c4fbc79bdb8730e22eecefb5fe90d2e0

SHA1
b5a9a3a1599910b25cc694a2129eff205de4dbc5

SHA256
6753e0be164c4db4bf607aabc3250d259ad4fc3b9897fd09f2eb29d980c637e6

SHA512
32cdcfcf1bda6b776ae1b2fc995d45a339042cf231b122e8cb6fd3d45977addc901ed697b14ebc038267f10972358e81e9cc58a9b5db9dbd72d7173477a3bdf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
133KB

MD5
109f4d810083105b5dd90efafe0e9798

SHA1
26e02ada7fbcfaf79eb7e9e82fffd1f3e8dfc070

SHA256
1aee0c79d052dfac542184ee40cf28991aa065f8255249bea3a930e7f6c600b5

SHA512
5590f13cfb810a8ba594bab939e3b928a0e89ef207fc9c2095150dcf2bb161fda24b5921002e3a9217fbb71911386fea7927abb6dd5eef8a1ab23d3192df927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
0aae89f6a639ed3e89f9515106509590

SHA1
a2f01b333c11dcfc2258673fb718a8bd0f930071

SHA256
956bb7a51c92c117efb4e667fa3d7acc7f1acb89d26c21efc667e2802b9df1ea

SHA512
3fd8e9a06f4f30fe578e543e991f7a5f1bdcaea8a958ceb923f0661a7d6b5ba37e70fc5d745abf9fefffab8b80efb6c3a5f528fda00a1917f4dbeeed1d7a9a9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2f1173ecf31b904ba6f2b10466289f3c

SHA1
7356642309bfc4e6be26804103dfca63e0fe68c9

SHA256
b51de8f4381941be4511ee79320fcda0313b509bbab7db115553976a1d20d086

SHA512
33729e91c6ea890f138c39449ea6809d2802dfcc4c6cbb06880bee573c25bf539bf55811c6a4421fccb423f401a97394d667f77683eb3c34cef089698cb95ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7f774a28fa5456d3c1d0d69b5adb71d5

SHA1
0196a866f02001f048df3435a93fa63dfe22b96e

SHA256
9d519c66228e7313d6750f90a2a5f04691bf41ccdd7aca586bd64c7d73f67f4b

SHA512
fee35f934aac1cce7aa28b96200686d196e7b0e856f838434bcbd69147e268775e561c91f5c4a1f90de5bbe2efa28e5accd808f735d35b1ac218a5d4dd5e3000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8590dd5978d817e278e3ebdcccddc508

SHA1
04e6c8598685085b9cde8b1cb6336faf7b9376d3

SHA256
09423f122bb84d5c60786f0c0d1f7fca07de845d0d39b03abe501dd67bf058f3

SHA512
3f6a61b8e63e3f6f0a992d3264efb557aba347b4640ef3dfc57f3c0a5b06996618a3a4329f676436303f7e65231361fb17f87d784e80abe5196c6616298eb04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
621dcb786378f1a7c002fcd19a0df052

SHA1
dd5b73892e4fd41892ef169f907fb36a266382e8

SHA256
ddff6adcd6a2a0c9c514836ead9380b1a3acb6fe83294ad501b3a9ad400bd02f

SHA512
9e48f197fa21ad9a3970942364e15e79c537a5847d569a6bdaf1bf41c832f39ced256a01c3e124920decc18236912cbc54e5e00ba7413ffdf8af1df5ac64f2ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c5bafb25f1068b91cbba4db943f3ef40

SHA1
6c7278426062a8bfbd970b5a6ea7092804fc6de0

SHA256
569982d5b5259d7c78b119e4a9b5094459951a4c2e9d342abb75ea4afc60d3dc

SHA512
0f700aea672eefe86aaa3d857faec395becc0b130f8c0a236aacb94a30523f877d86f2406938b95da813177f7ab7c00ea073f26068f19d2591bc0f481d8f2dcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
32d078885e59319147608e181bbdc56f

SHA1
916e52412c94645ad11ccb1553746ec5e8b9cc82

SHA256
6f039b9df687017b4f198b80143b609df4ed09dd4a6b3bf35a81c09d359b6064

SHA512
20bd5488fe0147380a5b8f4eac77b8030d5edda432bba73b994ddf91f854efce40c5f93efe480291d9ab81a17155700e4e4a19568809482f5b1edb13dda68097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4bebfe9f3b41d01d25c923c5a4489ec3

SHA1
c12b52a2930cbbfdba0a6832e5c0e8c8c2cc4378

SHA256
d51e2d0ec77f7e463a442333ec8334f9ab89bbabfd30b595539efdfbcd101f90

SHA512
6b241d629fc51a4de511e0192d6446f59deced2e78eaea8e6a6bb525d6f6e6798eb4c149fe46f9391c7dd866e3defddcec55df4af1a88f64c7414ce4b2933c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9674a298af592d0f7f8b8985294abd4b

SHA1
0fcdb58fa2da1a975bffec2df0efe3e84590361d

SHA256
58e6059e2c39f0caac131bc22130f7feee1fc0164257b57e63507621c983c1e6

SHA512
0e782b5588cd1bee73af73b5963f9514fc6dcb2b9289bef19c10df418710cfe64929d9ec20eec7d210db11bee5b3191929e6024203002a0207472b037565d9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a2bbbe3458295100ecfad4465b927d3d

SHA1
c0ce83667900a5753c110e811783ecf9210df7cc

SHA256
96fc98b093be1fd31e3a2c628109dd8400c50546daf7f54b22acdf7f944cd659

SHA512
1651afc109d3a5e66bbe16e5b618c987b6e5255745215ab4eb66d3495a0670f876c14cccbbe4d1521514482779b74b6c77f2a6fb1d5b817f3fa8fcebff520150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
31e1ef03d0641680023f2113419fb6c4

SHA1
7bec256eed10b2de5067bde2c5c93f7e4ed68dec

SHA256
7627c9a7f3aca352db7aae7d1e6933929bf8f0f4919be260c3d63308079c37f6

SHA512
1098ae8d7ede12c08dec4a977c741f23d7da3101b5f1cc87a02ef781d920dd529939b0035a7a1d7dad9bb76d7c8aee1b24bffa4ebd10b8fda2db19713f569fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a884018cb8bbd189dffed4225d7b1485

SHA1
1a4a2a0e5c8088096da6da5cb62c2f2251324f34

SHA256
eb5470870e431a103f62faf7bd1ed7a7a29c7956fcd6103768f85617e75fa928

SHA512
37a945934eae948859ffd5f179edc131c7e4e3442c3f34606e9d16f11257159c5e6269d4030bb8010875c553bb91dfb97b6e5f881c81fbbdccec33b5edb3c6bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ceec1880c5cfd31b5a1c93f03696be7

SHA1
cde1ac33738d4ad6228f09d87dd99cb10506032a

SHA256
5908759dc7f6b655d0050f41e0fec9af730eb02dcf6c2a447dd3a319b3682ba8

SHA512
58b30a667c05db53a7612e708682dc160fcba9730488ebe8f93a2cb49615da961e274b3e7b11b81f2604ccf16329a9915488e1e2daf9e5a8996f2bb3e7b1ba61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
30f043e13e7c85ce81d47767c71cc87b

SHA1
c576036945720e5b50ba3482307afd9bd4211c0b

SHA256
56b84b2f3b57fedf78f8c7f7c27279f9a824a5c8a196050ed3a27e15f0a3c219

SHA512
a2f71609bb91c0c8adde89c1e03579058fe49b0f7a4a8576efdd79a6c690a958837a1aca421700bdc67edce3e0b6e704c2a5ef4778e0baf97dcd4ec985b4dadf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1a41842ce57eca67fadd1a1ecbda4a1d

SHA1
dd2d16fcca05c91e6ede1b7c8a3ee42fb13f92f3

SHA256
aaa1d5eed4eed1f003a297c19d8e57a8449129c436b72a681c4a99d75a176eb5

SHA512
b11ad6165df2cfe8a9c228ed561dd5b88b46450e5822ceeec67eb26a26f05cda86c87e301cfbab56173fe13477ddd7f3682192fcb9d159c768c366942e1a134c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48ad5ce0f0f0940f539fcd792a90ff65

SHA1
75fec7dfbb9af053e73b34bec01109a37ce3e409

SHA256
24d128f5e898d8fba83d135adafd364a465e526f803b225ec222ef9d55eb57a5

SHA512
e324d3027cfdfef7947fe99659e8d051f84cecb696b9a197988a0971ad1c3c0d6622474b5ccd6f6f7da16d73551cf3d4de3f4b6fcab6b00b5335c89a2764b18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9d76a5f4cbf5dd1c5059d8e37569bde2

SHA1
c5d37b5df3ccae7b707f5d021e7857d979ed2695

SHA256
30a75a30ce803508d74921defbcc801577319bb3650339ee014e5354e4a440b2

SHA512
bd7f381ce76e2ebec5945ac7b9f81c922ca716a812efde6d0612c0a63fa0a1588e94ef56d2c6df056514ce44b56abd25ef81868aa592ba6e50a64d3a77956df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
83b5423a57477fb10a3432549d64b515

SHA1
8a620d86cb0d30077bf232cc15ab1a918bf6200b

SHA256
b6f341ac18231735a219543c197acd190a29c3280c4c9b9038d46e9fe70e941e

SHA512
9afa9e616fd2a3ab99edebd73d0a9d046b0d6f1b56fede0280057f0742ace36fce0bc71d14affc56743f21960748bc6241a1f2db26398cc753a29d16eaa5c53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9df7d078bce6aaf0aa88867f8772046a

SHA1
ef357b1d813a5458c3b0d0e2141c89af02b9679c

SHA256
e38885454db6b9ad1150a0947d28445b22022195d1f88f40ffb16a444092ce2c

SHA512
e74b35aa35d241681fd5398e128d0c75fb210d9056b5ae76bd9d08cc3a6235ff53b3b060bd86c3ccadfdfcae5bb70050fd97d41f0ffec773a02c64e52af91c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a80b32563f95538b2d67c412f57026d

SHA1
d80bd453a140e53c06f0fef4d843a892bb0d1ea5

SHA256
f986283243adb6db0b3b88b50399f2086df9c83b349d9a0f81c2a02a2d7fc289

SHA512
0a662456eb53af1772a2e804d72c6034ec0768e631ea10efc3bbdae2001ae14c032fa6927ffd5af41031437d4e55254c393646b5659fb6050c5991db3e36fdf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2213cd7cebd59932dc7dbc54661cef7b

SHA1
95e21cfae7f9bc984210187c485f8a2fafca12db

SHA256
344072536652a4603d6af09f16e25eddb823b4d42c66c200a93dbf143f8d0a62

SHA512
ba50c1b0b131df2949670c3718ead284dd388edbeae3bcb354a3427bbb9e9b46eaf841560f595a2f01c17c5427283f8c355bf98d0cda7e35e020601c2a4c85dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580e34.TMP

Filesize
370B

MD5
a735175a20ff81c92bb78fc25bddc52f

SHA1
47a24d8beee3cda9770ecef0ba646b8e779a3a51

SHA256
26a66ae0a59f6b68f57d0b9e939a079a4dd8e5c453e6ff17c4c0a22c249d6059

SHA512
6646f327d912572f6521839d494eb5ad64728c40ad015fbaba60cef2cb4309c247fedd8b347037fbad2708ce9f5bdf9fca9723cc18440f89b537d8ddd7d83ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b621bf89ceb5bf93b56997fd8df5be3

SHA1
6e2cac29da0765df5377bba3a3ff79e1d458c2f8

SHA256
8e4fa0f1039c0961fa0f9dcfb062dc8b442f80024da33877777d21efb301ce70

SHA512
686de8d0c2c63577bbb8fe6764f7701b328fedf4adbf974dcb86bb72f8957482d0fa90018366aaad54f8d0c8d867cecdbc1da052222460cb9ef4e1d11aa60e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a776db448e5ea815c3068982f5a588d

SHA1
df1410b116ac5818b4556f7dc12bb5ae6b1f1811

SHA256
6392ff501568aabb78be6e220f8aeacee3914a9821d50a5c8ad06f95310d4bf0

SHA512
66cc2f2666b7545c9a30e6abd6f7a9a3d90f06888644a0d6c438b204dc0815477f4a3f68a33c2e8551be9e6cfe57deb79083d356317a17627448985263be7c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
9dc3db60b719e33310571900001139df

SHA1
a617d2ab1a577bd7337e2bb7d885d6b2c507ed31

SHA256
b35ffd61fdfa55caac4e88e002a420149d4225d1a1745eb46a59ab242d76508a

SHA512
d390c3beabd6215b33993f87c07c98c386f5aa2e44016f9bc30f43697652bdab4b2fdd0f07c170b38ede9d5593224e4f401e483f7bbe457bb55fc6fa51587fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
31b17a2657f0e4fdb1ec4e6f7d903f05

SHA1
ff7cbc9eef1c55560d46eeb5fe17688070c4df70

SHA256
d74d2f756e26576281e45c58d092b8a82960b4edf8ea928ae3d87654b27b3847

SHA512
f1df68f0e1a5e6eb565ab50eda6cb2870eb9c52df9268fc166ac06ad6f9b162aa2da44a9d45dad2da8801db02872b1467b5ba3ad8a8148bba2f0744e9836666b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
0215ad37d1ed6c56fb2b217b044d6001

SHA1
72b61874a1412435e42225309bbdced3d09f64d4

SHA256
359e7803464deb393f10a98458a7498988084351d2c4a475fe20a89e7cb59d0b

SHA512
01b49ccb3dc3ebba1b7141a97ab4d60f1d3bdddd385fa2b2995780b9d0dc44a1be53d477c083bde396d0e8593701b4c3df9f29069618586aec5869e92ea364b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
92490a8fbd92389724db4eb3f67587da

SHA1
3b302728b2b6ae345d5f399ff843b9a9d41f0502

SHA256
713ae8ff81503349e8fa02aff2ee809f1c4a95b8d375e38e76b31e75ba6ae74f

SHA512
f7e3338d384cd576aa420ab2a44012f24842018375177396def4280565c77ebf50e94e93cfb2d8ab031f0dbfbabcedb2462d819f31160108134eadbdf86410e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
4fda082b4994c0ba2e9c648bacc6b53b

SHA1
473a35c8cea9c8af6ac093e4311651f0311bdc0b

SHA256
fbfbe74b54fc31478095b7579a3c1a75cffa3a76d62f9ac656bcea3cdbc12505

SHA512
76a56dd7b5a3dd18088b2ba0b3d7cffc2c74d0afe6b112eceb150c1e9e0fd118d67d4bb1165e632d42c98677c412a6f91dcf4175514ea6e1725561b6b185b03a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
0fc1e039b93603281a9d365df1e42ee5

SHA1
16b25fa93a56377ebc48e53f5c01de6bc7d5edf2

SHA256
2b95d0faa0ada0e72a04ffdf183a4cfabc55de8d3f983bed0898307b0ce991bc

SHA512
0a3bd5190c96739aeaa7ea4dd77744a8af5d0ad0a43f63e7238f6296354da1067314ed1d255a8d177627ac67c0578f960f6da6887849e5b3b5cf9a550a58c779

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
370a5c5e507bdd326819923a8914ba8a

SHA1
413cf9ab86ecfc2858123901e5abf349deefa7fc

SHA256
f02c7d28f995990f9e9d4b12179014759b159aea06a9cf94c1da0782cee1cc0b

SHA512
e478f846c44601a3cd8ef9bf7d41495ab5a564f23511bc0f20d052c365db8c707d3212e9e964e79553c91c0de18392b5951c13821b7247dc6538deda9bca7acf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
93b24180123a5748a0d20980589eb858

SHA1
ebbfd6cd046d7d922bb7f7c02730efe91bd13a14

SHA256
32ed91bc67dfa2adf7c74b948a9db9e9937772697fd97c1139ecc53d256df8ac

SHA512
67e72768f3b4a014cf57d6625c17d429ef4de3c065c0f21de03ac51acb30747c2e262588cceb6ec18fb2828e2a8df37b94c19e349b57f0ac8414a588480bd2dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
628dee7eb9fef33ffc20ea76efbf46f9

SHA1
de2651600149469f5a816d07c922d87e9c49dd66

SHA256
5b617171ca7c75cac775439adb511e979d19eda5eabb880ad3f4664cf57fd334

SHA512
eadff50a3bd70ad72f8d8758ee0c0e31ba225cc5dd64fc1b0371cdc3a0c30400969c10cd4f01c1f4672ddec923d89ad072c05594c86932bfebdcaca4d3d94c05

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 442403.crdownload

Filesize
20.5MB

MD5
5bbabe689f776b284c098414f4cffbfa

SHA1
954d496e3b6e352121c6a4950cec2ccec74a005b

SHA256
5dccaebc7d4d95d4c568fe60fb1181a08c5e8b3a209ae6f82ac94c9152ccedc4

SHA512
9c00ffce64c767f9d2dbda2a70dcfee4dd93988777abbe031fc08e87c1f1585b43650d21751b646079b75e25166f8b19b7b3a8bfc441ff177dc33953092901eb

Download Submit
memory/5364-525-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-531-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-532-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-533-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-534-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-535-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-536-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-537-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-526-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5364-527-0x000001E12A3C0000-0x000001E12A3C1000-memory.dmp

Filesize
4KB

Download
memory/5996-524-0x00007FFB08910000-0x00007FFB0896C000-memory.dmp

Filesize
368KB

Download
memory/5996-523-0x00007FFB08910000-0x00007FFB0896C000-memory.dmp

Filesize
368KB

Download