dcrat | hxxps://cdn[.]discordapp[.]com/attachments/1269226715406929953/1315030237461086398/Zorara1_1[.]rar?ex=6755ecd8&is=67549b58&hm=342942b3325c6d4cc071d538bee1cf51aaf560283814f73fd35c534defd6c7fc&

Analysis

max time kernel
136s
max time network
138s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-12-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1269226715406929953/1315030237461086398/Zorara1_1.rar?ex=6755ecd8&is=67549b58&hm=342942b3325c6d4cc071d538bee1cf51aaf560283814f73fd35c534defd6c7fc&

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	portreviewCommon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Zoraraclear.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 5 IoCs

pid	Process
876	Zoraraclear.exe
4352	DCRatBuild.exe
2028	Zorara.exe
5276	portreviewCommon.exe
2368	identity_helper.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2028	Zorara.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\028695c7-8d0a-450f-8be1-f458e1114f0f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241207190307.pma	setup.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\identity_helper.exe	portreviewCommon.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\1c7346099e1d63	portreviewCommon.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\addins\e6c9b481da804f	portreviewCommon.exe
File created	C:\Windows\bcastdvr\csrss.exe	portreviewCommon.exe
File created	C:\Windows\bcastdvr\886983d96e3d3e	portreviewCommon.exe
File created	C:\Windows\uk-UA\sysmon.exe	portreviewCommon.exe
File created	C:\Windows\uk-UA\121e5b5079f7c0	portreviewCommon.exe
File created	C:\Windows\addins\OfficeClickToRun.exe	portreviewCommon.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zoraraclear.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	portreviewCommon.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	DCRatBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
3836	msedge.exe
3836	msedge.exe
4480	identity_helper.exe
4480	identity_helper.exe
2020	msedge.exe
2020	msedge.exe
2020	msedge.exe
5520	msedge.exe
5520	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
3228	identity_helper.exe
3228	identity_helper.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe
5276	portreviewCommon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5604	7zG.exe
Token: 35	5604	7zG.exe
Token: SeSecurityPrivilege	5604	7zG.exe
Token: SeSecurityPrivilege	5604	7zG.exe
Token: SeDebugPrivilege	5276	portreviewCommon.exe
Token: SeDebugPrivilege	2368	identity_helper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
5604	7zG.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 2496	3836	msedge.exe	80
PID 3836 wrote to memory of 2496	3836	msedge.exe	80
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4960	3836	msedge.exe	81
PID 3836 wrote to memory of 4092	3836	msedge.exe	82
PID 3836 wrote to memory of 4092	3836	msedge.exe	82
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83
PID 3836 wrote to memory of 4336	3836	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1269226715406929953/1315030237461086398/Zorara1_1.rar?ex=6755ecd8&is=67549b58&hm=342942b3325c6d4cc071d538bee1cf51aaf560283814f73fd35c534defd6c7fc&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc100146f8,0x7ffc10014708,0x7ffc10014718
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff683ee5460,0x7ff683ee5470,0x7ff683ee5480
    3⤵
    PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,17469528744623934651,11031162732914960159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3792

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Zorara1 (1)\" -spe -an -ai#7zMap22532:84:7zEvent8335
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5604

C:\Users\Admin\Downloads\Zorara1 (1)\Zorara\Zoraraclear.exe
"C:\Users\Admin\Downloads\Zorara1 (1)\Zorara\Zoraraclear.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4352
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HyperreviewWincommon\0APkIItdJuTMwiSED3qMQuncpJddgwxYvhrJ.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:3796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HyperreviewWincommon\G389UpYDqsyTn8FeSKOfwJ022GejG1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5232
    - - C:\HyperreviewWincommon\portreviewCommon.exe
        
        "C:\HyperreviewWincommon/portreviewCommon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zqqiPRWBjb.bat"
        6⤵
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5744
        
        C:\Program Files\Windows Photo Viewer\de-DE\identity_helper.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\identity_helper.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
- C:\Users\Admin\AppData\Local\Temp\Zorara.exe
  "C:\Users\Admin\AppData\Local\Temp\Zorara.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\Zorara1 (1)\Zorara\Monaco\Monaco.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffc100146f8,0x7ffc10014708,0x7ffc10014718
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,11757305431762522051,1400793858367898619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HyperreviewWincommon\0APkIItdJuTMwiSED3qMQuncpJddgwxYvhrJ.vbe

Filesize
229B

MD5
7c1d3d422cc4568c9a4325d2409a748b

SHA1
a8079bf0f981b9f9936a2547a8807bdb27f9c9fe

SHA256
1cc02cd69855ad9f85fbf3c7b47d33687c0565ba65b845653bb449693a179b8e

SHA512
82adf7ecb692bc6a5a58eac8b0233a637b819c7623eebb1654336304b3f90cf28ab667b70e9d21b54663a521e2cd5fc4dd2d93234df40fe19bd3356d4be8d553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
843402bd30bd238629acedf42a0dcb51

SHA1
050e6aa6f2c5b862c224e5852cdfb84db9a79bbc

SHA256
692f41363d887f712ab0862a8c317e4b62ba6a0294b238ea8c1ad4ac0fbcda7a

SHA512
977ec0f2943ad3adb9cff7e964d73f3dadc53283329248994f8c6246dfafbf2af3b25818c54f94cc73cd99f01888e84254d5435e28961db40bccbbf24e966167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
557df060b24d910f788843324c70707a

SHA1
e5d15be40f23484b3d9b77c19658adcb6e1da45c

SHA256
83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b

SHA512
78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
49466246aa9c46b768ccb553e4637c69

SHA1
45ae4672cca17acf9bfdf21ff5660b3ae4d59911

SHA256
f968489d33c5c8b6b1d4346326cb9810f798564982b323239e3bda9f97531f70

SHA512
3f17c3b1502412707cf284c35c745f564749f052bfdc408b1aa7deb172c3993fc88b89777c92e9422fdb1556656d25ec3e2dc4f1f9d11f7666af2fa0324fe607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e12c0611d157bc724c09b7969a9f7c1

SHA1
3fe4db066ee0d6534167884c1b694b732116eb5e

SHA256
052d64a1ab0d81a373b31a309b882a0958fbe8198742a3d6fecf50ee0e3d2d5e

SHA512
f196d825c97d5a6fec5cd8c470148bac117fafe2427d1c1c8da36416508fdc67c2d8f8c0da1e1cd35bcb81766ab941ac872a94bd51e126063b4325e85c79c824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b6095cbf4f1ec21b2268d63e9418326f

SHA1
4552d2b82ab0052e10271c3407b75c72fc4221dc

SHA256
b6b1cf56f0974eb24a3a0d781676401074b0c48e5fa633a6885564484993feb2

SHA512
329da01caf2bea82da100a3a17496ae549e3d5cb962c6ad42ffec1f925537f4ced883de80efcdad981f3c1d92dbd139556c5bf38d50ef42bc62899f7549fb344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
0ca33fcbecfe57402029df69751c8e7d

SHA1
9561fe549f5bfc38a1a88f8404adf735ed9b3881

SHA256
0e03e531fedf1a808d2335b0be19cb63e023a2c7b335b34e8c0e891a23a58ac2

SHA512
303628e59e5c64295d60010cf5a353ba1e343cadda8283dcbd17a69df3954a39817bf73f202aca75936173b404e0576e8147a4449d4331e5e42aaaac84471dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
54abefde5bec0113499f80af3e39ace3

SHA1
c698c5fcb9c452a803611bb34ffedc02007c6c0f

SHA256
63c509586478bcedf137f2a018ab6bed0c9c9f6580a3f7f1eca32414fbf8de59

SHA512
7964b0f90cb29d40fb18b2dfd6d2b53a9394b5eb5a5b15fc984e52d588687d194c07f7af40f4d7e4ffff5715f4833351d4edaed3beef6248fa336f975f4de09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
8745c0a81d40235f4d51dea04339be32

SHA1
96d0747b9629fd35380c16be8bc4e88e3e4eccf3

SHA256
6719a2392f6ae3cdbb57fd492d08f6194fbd93f85addf871cb077bc2350a9486

SHA512
10e4be6705a9721470a4f23529642fb35bcb63433440abbca94b41e36c95f8582f02ec6c452b8fb51241e3fdac8f07d8671f7cf6c00f8795d868e54fb70f2d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
293B

MD5
5f6da2dfd4619bfd082a0b146b55a984

SHA1
60e23da22079195200dcca0cc80a8262c1906904

SHA256
6fee4a4b34a19cf52ab167a6ea4291646410278f02e2daf1f72c95a26fdd7956

SHA512
2d6b185fa112d31656a61aa225fffd86ba2120693ff7e6429cbab72dc3a1a433ae42aa442e2897c0db70951bdb4903adb65e0684584906193d19f1594cd61cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c03d0976fdad83bca1882c6de99b60b0

SHA1
4e53231b9cb0ac2556fe941bd2b4090a8d5b4e1a

SHA256
6d1c2f5b883feff9dfcf1a05a9e36c78ae35afe9cbc3f14090f3687b26018a24

SHA512
163a2ef390d587cb149bf9965dc4085f586b8524ec876f4d7362e85abd56ec65b69008ed3cc33f1aef56478d31059813d80444ac91081c101a9d2aad331c4c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
321c8e5c1cecf3b625de52b9468a98b0

SHA1
98f743318e91263955ed0d77ed9f9ff37ae1a27b

SHA256
690ff69374e21b9a59bde990b40aec9d21b81e43cd658ec514260eca881002c3

SHA512
80dd97faf13d52793d8d17a6f64a5622aacd5bf2b10c95aeac812ab453038a60adf32a0e2c4baf18eff302f0bbc3d9996685aab5fc5a305a7ff3298f6f27fd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
49cd9a9a82dae5379e877f484b45a2fb

SHA1
f233f148c9fb9441c14860b129793e0b6d801b82

SHA256
c0a08c11aa23f5f0abfd4239de8fda23438f8bcd28adc057b6a4aa26613d9284

SHA512
25e60b8be1374e86a47c4a155c6d06c6ad717a2c986fdb8287d5cee79a8feda573a2e7d533fc10163aa65aa18e6d1960a4c1e963f1c297f8b82a889f3c3f9b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6dc1f4bfebdb2fecca2c94e7d94975e

SHA1
a6871735426e9ad7d24ed3f4978dc43e85715797

SHA256
16d4d9acc465d5c8b6523a810837c5bedd1e6b72dbb5d1d7263c7430ce6d144e

SHA512
8e177eac17851929acd7e2e923acd181c4a1ff20245e6e7f9e318d8085eb791862f0be4ed99fc05e7f01539cb81cd066b0807a2fdf87ed61860c4abf36e1b902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6e54d1ea15f2c896852dddb0bdabb41

SHA1
781275d331a01c38fe19a151a2a4f4d777d9e1b8

SHA256
03a37e95258e4509f8194dca90e0c9db0e00de1c20b39a0b6088287b8bcb9d7a

SHA512
9793702d8c5c333e15b50d3b7a06f4cb72342879caa0d7f066dba430fa0e01aef20c0ffaa57b8d536c0d5b63565cf094794fc839dd514422257005934ea24747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
952a6e3cbc50f011cf2f04c9470080ff

SHA1
a0d6a2509af73e523c970f6e4351861bde63d6db

SHA256
faa79ba7dfd140106187ab50f14aa7cca13650f94f796419bc0a44d7a2b79d5f

SHA512
7955092a6086f05268e4b0f88648d9275020b6cad83f81c90eac5a7cd994cc243b8dfab579d4335db62f3577fd2d8a7fbefcad6cc615e2bcf1d014115056cde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
74d9eb5260fef5b115bec73a0af9ac54

SHA1
18862574f0044f4591a2c3cf156db8f237787acf

SHA256
7d7e7b38664d625a0bbffbcb7882b175709e92987bf9da113c4745fafbbc361d

SHA512
b85917201b1d4b4542a4424ce40ddd083ddbd0e230e1931fe6f7cdd2aa3d8a0eec8daa743ddc5467f0a92da5594144c602081d941b216ca9cafdfd3c150d32d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ec974d6450b1d66b1603b4d8ab6f311

SHA1
a69718ede5e64505d611081ce519c13bf1874c71

SHA256
c8f35daf396d3857417f59817d58bd0d546a726b6d8a00a8a1c2d158623a721c

SHA512
9a524e266bc6b297d510d791445a6c014684c7d583037e2e40c8ad5e886e49f843662afc3c39cc9c82ae9d165e0a9ef3345dc800eb0655ca70b0769bf207bd2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
281B

MD5
7f78dbab7f5a799cc1fad7bd8dffb12c

SHA1
4dd76f90bc715b1286d14cc6e9310361b24c3548

SHA256
6a77ff640f6cb21f8064253d24c5ec341662a4ec8e58e5181caa9c4d58677281

SHA512
2443f1e738b4ec81bc11c7423e2e358c995f37e910cc210151d929a3f58d88d49762a214d7247c6f6d548e86db0dbf8486ca84d54f88beef3212b6a6cec775fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
070049d378f102f76b1ae02533150adc

SHA1
d535f44a008a95e8491ca1cfd128f142404f1e93

SHA256
8a2c6948e0f373502a03d727568967cb4a5ae040161b8fbd4f63193c7731838c

SHA512
e95864a64fbbc873a021f2cce5b991fdf3746e7cb9cae7418b2d5ef05f923ec56ad2dec38db13cfddb8341916bd1582ff4ae0e105068746b7d4e0e851f81be19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
8b5fe5c2b930a50273ed48c750ad369c

SHA1
32e8110767e28d41a24dfbc0331b4e3a1b476362

SHA256
045e6fb8835565fd9a6b21059a389d3feb73429ddd93eefdcd6057b8db6491be

SHA512
c111707489b7531ffbf29bacd99a93d724dcfcaaebb485451e3b7cf1f9dfd3d7b1622b145af8642a78d77f7731fc4dcf30b64a0dfe988459f38f7f64b4c4d39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
f104148a1522fcdd360e73e95da55ad4

SHA1
717606f55852ccc740943d3968f3a9022b69a95b

SHA256
c8ed9bc4efa95445914b851c55878082a26646f46c27d75fe6fd991877503e03

SHA512
f02e98d6186c26d26fb9f793ee57ac7d32b55ee6fe0b20ff5a6d1437c5f138034d29c2bb3829cfc50adabd9f0fbfe151892e50deace9bf6138cf3e1aa213e78e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
e0ef3f8fa8da703e4158dfcf5aaf2aeb

SHA1
3093ed9a7314a8e43b8a55ef1b7ec38782c11881

SHA256
e65102824d201ffb4b8a993c6fabfb4e8b3a361d19f1af63d6899db10bf92f68

SHA512
9572ecb2ad3dc9b51a66b51807a1c334dd7e4312633584a8eaa39eb5b59e8a05a806652368092a1cede6729aa3fd0339d862861854eca032be92143a90bc26c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
b53af9d6ace0518462795d5ad4582f5a

SHA1
b1b550bf194cda6dbf8b8fd91874122ea6747706

SHA256
d7eb170a9a43d42c7408149dd64c6c30262057b36432d0c951d2f735757de8a1

SHA512
c6fe953a215aa96fe53ae9c263261215f3dee4112df6c29f961375142f895fd5e2de459364785e5abbb175c54cd36664b8c4022c01271af604b84732a4fe4350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
e720da6d4b46602a329ddf5b7bcab974

SHA1
c88942cc258acacc93c943b3af7b5b88e44abd0e

SHA256
8ed1ebcabc91c26c7f38ff582152330c2f2bf993ea907c61d811499f78923ad1

SHA512
26c574c7ad6aa64fc149cb926c397a7f7df4668a32d25c6f550cbbc0128361527908ca232a214736db0fe93d18d7092e966315b51b6a79fc79f117020bb6a469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
113974974640c98d0da6ae70c903685e

SHA1
b0a2458c94980da8b059a029f2f7500a0f9ccf2a

SHA256
ccdc79465a283c4157eccb133be937d94bcac15c3737606cd67ec263faede8c4

SHA512
0c63c85761b8dc3acd194e592a0be2b23db389ef5e65464db6729af3cfa04f15fa6c52b934f0a16ecfe1621d25feadc66593828ef3417a2cfe1644335a02ad45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
df2eae53fbc1853658e5198e8599a6fd

SHA1
535afd498296b18a9c28eedcd8b5b4ab5efd6beb

SHA256
8a91bd64dc4c19faa7147b1dd491b31e6c1e209b22a27a8ae094d08de7fc9d89

SHA512
402745632f706183b799940575437653ff6eba739ada2e468741078b5b5e3beb2f5c27e9dfc3c42eefc7a051e6242aa150099dfee33f6d4d0dc093c8e2fc40e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
50b95900255a3738c2eb7b3ae93c9fbe

SHA1
0d3b635cedefaddc39e392e039e2788fa7dad8ef

SHA256
643aa08f884fd2d158064833b90f4bb7f2461ebf8612e4d97cc69b3945808642

SHA512
d3e520f4f17f31e0569eb90ddcb32a03fcf67ddd535290e0cb2ab695cfae14cf407a27070eedbb9910e6b569ab5149fae2c467253441d39efc9c5c29589fc9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
534bd5da1434a69bfd9bfd8a100e4af9

SHA1
e7d8ca45865661a23e18982cc46274065a54764f

SHA256
1a85b3e69b1e7f4cbba292ea8dba3c57e9b54ddcaedf3709139e5e63c1ffbdfc

SHA512
64fbdd1a8ada9f03f8d5a4276470aef1d779a2583a2d4610dd3c1d9576293c2b6d4c59f92ba1cfdbb78487257e0f8332363e24e4f0fb5ae5cc0be65c49408396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
472c8e4004c63f439b647668c64aa69d

SHA1
bc743a9b24bd69a539c6cab60c2f196306013cf2

SHA256
b8dbf43c624e94bab2422bd797e0578edaa86c0477de7dd35f0811c80dc7e46a

SHA512
0f09e32535d4fe270fa529ca9e8a0d27182e136b444475d93267ed8cebedc9b8a21bafa42796156dce8d8e94df811bd70fff528decbdc83ed33a4a350278e583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.2MB

MD5
42bebbc9ea503be1c3c78ac680e660bd

SHA1
ba7e6e6bdd1ff3fdbd66a6c25a180eaca08cb774

SHA256
d3a100c67a0ab27b0628df13e53b36999059981ffec20422b61a2801fc1f020a

SHA512
acf711b01b8fa27e487d6009644a7640197b44ff5efe6161670b4109b03c629c466c9411e56a51280b100494fd228123738320199cfe9763737dd98fadd13a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zorara.exe

Filesize
803KB

MD5
e63395b9021c27266554fff6b4ed8fab

SHA1
340e1bf4ebabcfda652882fa3789c5d4ab197bc9

SHA256
ff6ca0a62dd38a42391334d1e813b3c5ae223ca580c212d95ba6b80f30a0fac7

SHA512
aaa1f2b379644c619bb4619071e3102ddc23f6b5d810f922c5d159dae5da447785d9e178077b5cd79f9d8823bd49843587e0a8848d2149bb594b276e825784df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqqiPRWBjb.bat

Filesize
239B

MD5
09e760b72197abc5ad065832976bd625

SHA1
ce3d7d171750218f1854bed31bc5a91c7538eb4c

SHA256
3fb99333a02984e41e1b4b33e62f51601c13d924c1804a07e100c9a49a48e012

SHA512
900f3c44c2665099e372a4919ab58c7ee069e784baa44c7f81b5dbab1ac35ac6730f5521fcdcd913cce52f88c21f6db67c6608c57e9d5f77d3895b6a4c13d7cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e647349dc6bc26a0c8edb7af39563d2b

SHA1
87f1cba830688d0684aa0201bcc7a45503527b02

SHA256
91398682efefbb4fbe97ad79d835a305bec8aa869f2384453d6d91d969fc9c64

SHA512
95bfbacd3e1e2133fb2f4187fe0e96c2213b73124b1af445edb6002326ba4e364af6740da9c5214a1d47b052920375ad0e7d2829076127a35f2afa3d409264cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ed3891535915394f449b34ccc403ae92

SHA1
21ba18986a7a2287b3520959f8ab61d619bb2714

SHA256
e20bf7b52ac45654a964f99e48c44d7f27fa19c5e811e2776c63c8cd737f9000

SHA512
ac5de953a48fedaf7a1fd214cffd38e2ce7a23ed0f6d5e81655fb76761e9aa872f5ab9e28249852a386108fb92d393c28bf6948217cadb6540860c124d8476c1

Download Submit
C:\Users\Admin\Downloads\Zorara1 (1).rar

Filesize
41.3MB

MD5
af89a85f132307e4ddd7bd8eaa6fb87c

SHA1
8b3281a638815b2c44d0a18d7be3fe00cabfb8f0

SHA256
f6492f9d1ebc3ba11f458bf33c71f8c288e357abaeb0d4898c4359b2b152facb

SHA512
9437f25d5d47f5f7b9eb13a47d71029f5acc24c4140d0eaf1aa150e915467b42f41f16a6ec157b9f594b5529eb5dfd8beb668acb924c4de64a99c10bdb5a68f3

Download Submit
C:\Users\Admin\Downloads\Zorara1 (1)\Zorara\Zoraraclear.exe

Filesize
3.0MB

MD5
2bbcb2eb310ae73cd05c024afee324fb

SHA1
4d477371119a135e2c9e65ada34547afe65347a5

SHA256
628e668b234ae912b337b5ed8a9edb0baf44c6f2f0a297c1e6fc354262a37bad

SHA512
704a49e72fe03db76ec71e68b8309d3ad2c1c5e4b2042c68dbb383dc5502ebc5e96eb12b83c79cdcfbf1a8ebb04ffb11670628a1cb0bb49ebc617044ca5679be

Download Submit
C:\Users\Admin\Downloads\Zorara1 (1)\Zorara\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
memory/876-577-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2028-589-0x000001EF1E8D0000-0x000001EF1E8D1000-memory.dmp

Filesize
4KB

Download
memory/2028-578-0x000001EF1E3D0000-0x000001EF1E522000-memory.dmp

Filesize
1.3MB

Download
memory/5276-664-0x000000001B010000-0x000000001B02C000-memory.dmp

Filesize
112KB

Download
memory/5276-665-0x000000001B3D0000-0x000000001B420000-memory.dmp

Filesize
320KB

Download
memory/5276-667-0x000000001B030000-0x000000001B048000-memory.dmp

Filesize
96KB

Download
memory/5276-669-0x000000001B050000-0x000000001B068000-memory.dmp

Filesize
96KB

Download
memory/5276-671-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/5276-662-0x00000000025A0000-0x00000000025AE000-memory.dmp

Filesize
56KB

Download
memory/5276-660-0x00000000001F0000-0x00000000003E0000-memory.dmp

Filesize
1.9MB

Download