r77 | hxxp://github[.]com/SlejmUr/Manifest_Tool_TB/raw/main/Plazas[.]zip

Resubmissions

04-09-2024 02:38

240904-c43vssvfpb 10

04-09-2024 02:30

240904-czleystdmk 7

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com/SlejmUr/Manifest_Tool_TB/raw/main/Plazas.zip

Score

10^/10

r77 discovery rootkit

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral1/files/0x0007000000023537-687.dat	r77_payload

Executes dropped EXE 1 IoCs

pid	Process
5892	quicksfv.exe

Loads dropped DLL 1 IoCs

pid	Process
5892	quicksfv.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\QuickSFV\quicksfv.exe	msiexec.exe
File created	C:\Program Files\QuickSFV\libquicksfv.dll	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58841f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{89B56CFC-0270-4ACF-8BF1-048251FD9E08}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84BB.tmp	msiexec.exe
File created	C:\Windows\Installer\e588421.msi	msiexec.exe
File created	C:\Windows\Installer\e58841f.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a2808484d8f468e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a28084840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a2808484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da2808484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a280848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{D75B3422-EC52-42E0-B6C3-64EFB6397847}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell\open\ = "&Open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.sfv	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.qsfv\File_Verification_Database	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.qsfv\ = "File_Verification_Database"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell\open\command\ = "\"C:\\Program Files\\QuickSFV\\quicksfv.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell\ = "open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.qsfv\File_Verification_Database\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\ = "Verify files within the file verification database"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\DefaultIcon\ = "%APPDATA%\\Microsoft\\Installer\\{89B56CFC-0270-4ACF-8BF1-048251FD9E08}\\_6FEFF9B68218417F98F549.exe,0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell\open	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\File_Verification_Database\shell\open\command\command = 7d00330027003d0054006000580063002600400027005e007d006b00510074007e0053006a0025003e00710065005400650025002c0021005800340029006d002700660034005100690063005f00730051002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.qsfv	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.md5	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 22569.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3276	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe
1012	msedge.exe
1012	msedge.exe
1064	identity_helper.exe
1064	identity_helper.exe
4276	msedge.exe
4276	msedge.exe
5436	msedge.exe
5436	msedge.exe
5632	msedge.exe
5632	msedge.exe
3024	msiexec.exe
3024	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4416	7zG.exe
Token: 35	4416	7zG.exe
Token: SeSecurityPrivilege	4416	7zG.exe
Token: SeSecurityPrivilege	4416	7zG.exe
Token: SeShutdownPrivilege	5716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5716	msiexec.exe
Token: SeSecurityPrivilege	3024	msiexec.exe
Token: SeCreateTokenPrivilege	5716	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5716	msiexec.exe
Token: SeLockMemoryPrivilege	5716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5716	msiexec.exe
Token: SeMachineAccountPrivilege	5716	msiexec.exe
Token: SeTcbPrivilege	5716	msiexec.exe
Token: SeSecurityPrivilege	5716	msiexec.exe
Token: SeTakeOwnershipPrivilege	5716	msiexec.exe
Token: SeLoadDriverPrivilege	5716	msiexec.exe
Token: SeSystemProfilePrivilege	5716	msiexec.exe
Token: SeSystemtimePrivilege	5716	msiexec.exe
Token: SeProfSingleProcessPrivilege	5716	msiexec.exe
Token: SeIncBasePriorityPrivilege	5716	msiexec.exe
Token: SeCreatePagefilePrivilege	5716	msiexec.exe
Token: SeCreatePermanentPrivilege	5716	msiexec.exe
Token: SeBackupPrivilege	5716	msiexec.exe
Token: SeRestorePrivilege	5716	msiexec.exe
Token: SeShutdownPrivilege	5716	msiexec.exe
Token: SeDebugPrivilege	5716	msiexec.exe
Token: SeAuditPrivilege	5716	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5716	msiexec.exe
Token: SeChangeNotifyPrivilege	5716	msiexec.exe
Token: SeRemoteShutdownPrivilege	5716	msiexec.exe
Token: SeUndockPrivilege	5716	msiexec.exe
Token: SeSyncAgentPrivilege	5716	msiexec.exe
Token: SeEnableDelegationPrivilege	5716	msiexec.exe
Token: SeManageVolumePrivilege	5716	msiexec.exe
Token: SeImpersonatePrivilege	5716	msiexec.exe
Token: SeCreateGlobalPrivilege	5716	msiexec.exe
Token: SeBackupPrivilege	4940	vssvc.exe
Token: SeRestorePrivilege	4940	vssvc.exe
Token: SeAuditPrivilege	4940	vssvc.exe
Token: SeBackupPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
4416	7zG.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
5716	msiexec.exe
5716	msiexec.exe
1012	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 4668	1012	msedge.exe	83
PID 1012 wrote to memory of 4668	1012	msedge.exe	83
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 1168	1012	msedge.exe	84
PID 1012 wrote to memory of 2220	1012	msedge.exe	85
PID 1012 wrote to memory of 2220	1012	msedge.exe	85
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86
PID 1012 wrote to memory of 4676	1012	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com/SlejmUr/Manifest_Tool_TB/raw/main/Plazas.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccaf746f8,0x7ffccaf74708,0x7ffccaf74718
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:6116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12259260569674528803,13153337725347163859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5632
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\quicksfv-setup64.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2128

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Plazas\" -spe -an -ai#7zMap12979:74:7zEvent3780
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4184

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Plazas\CPlay\HOWTOUSE.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3276

C:\Program Files\QuickSFV\quicksfv.exe
"C:\Program Files\QuickSFV\quicksfv.exe" C:\Users\Admin\Downloads\Plazas\Plazas.sfv
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588420.rbs

Filesize
12KB

MD5
746a202a32a3723701c4dce23f61614d

SHA1
83605cdba0b9674fc74e16d5f4dc127dfd5cb34f

SHA256
6c96d4dcb21dcf6b5415da990c665b8e8d568d2e8b99ca76488ac2f8150fa18d

SHA512
966a0ea706f66adcb258b8aeea77d1d0d58943a4300ad8ddfe9f1d71a6eba1e29df5cb8accae7b24f715cdce99a0ab38ba9e94d0cb342e68b76bece42e79ada6

Download Submit
C:\Program Files\QuickSFV\libquicksfv.dll

Filesize
151KB

MD5
967ac5eb28a1fe11ae043f91e9d16c55

SHA1
14f208c09a30e97fd61943da74afcc985893370f

SHA256
e3650113af3391709b4c0dce32df7c1082839b6e84d7c4179ccfa6c3078facad

SHA512
40f051e35d8180ea3c0a7d84cf9c00fc7bebc7a538a831ad2916e42da0aa8258a039b29e42b4edb59b9df1db81edf9679edce4d104532370ab681a837a20d7dc

Download Submit
C:\Program Files\QuickSFV\quicksfv.exe

Filesize
111KB

MD5
62cca2e64dd1122936ffcdb4937026b4

SHA1
35ff94e877c7ea62163ae6969ee48345e2616d99

SHA256
78139c863d31ccfc2faf018ad8c239aeb886766d40923a77a9b7e5142a666e41

SHA512
866139b8401a2434d787fa04db24f0ac68b1aeca57093c281da41357325ab3271fc8ee987c536b93d7563a510b2cb96bc9efbd70d0986ad278ffae4c98cff713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4dd4f08f679f0fcb1ddd5af1cd20c307

SHA1
bc76515b1cefee224ac0b368d21b21baab9bfa19

SHA256
d0719cc99bf3b99d6715a2d52962eb92f3a2e5383365a79eee38e3917de17dce

SHA512
1dcf9fa1d518166c9ddca3270a84ad02ba17eafce7a5d4febfce769c41a1a47d75d75b91eea1c1f3019f5b465cace3f8c42b1309428ffdd80b003bc52bb98be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
53a99b2c9dbacc2c4f5ec2d818335f90

SHA1
841a1c3f1b2f77c646cc46f59649b0f1b3cde18a

SHA256
a3dfe62b8c1a408985fce66aad7cc586f1fb3366fd8595ddbb65fa04f595403a

SHA512
de32e2f69e4eca25d30eeaa44dfdd5324b0a3b5b80ecfd7ca37d21ae9a403c3ad9abb0aad29cfd03df160e340c87656d3674ce0f1a955900569fc90c6e0dfba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
dbfef775e45faf8bfac9270c5951aa73

SHA1
40893349da9254bed0a609a5640c776053fa10a0

SHA256
4ae108bb9f79dfbe2635d4ed08b1629991ba25d798b83538fb01b57837381e8d

SHA512
f0e8c0dc296808fd90a4d3f4cbf5d6c7e23a6b5f18389380bed76a359e408e56bd3b27d8aa947dd71ddee51f55b47b98968ff4134624dec6a99077d946929344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a265d9698c390330a706742cf4bb4d9

SHA1
9e8dc632014eff561c1ea56cb9c8a746fc32ac76

SHA256
8f9c6dcc71298de007e1fb0fd4cd64266c6e3a72d69988fa755b5746490bd359

SHA512
1b511cb7b7a39b29e42eb4aaec7feaa032f359a4bb7fd8ff2ce89f0ecd2b3c03605e8457d2ec294135d25fc82f2a965b7df2efd29c0331948ed36acd30da848d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f07e7b9af666f5aa01d1cfb4fa7901f

SHA1
996bd4aaf408a73a099a8d8a75bda428cb01b367

SHA256
e07cdf3246dff6594f91528297bb96342ff55d80c0270b5a6fb7d954be6938f1

SHA512
b1fbd9557f13ec7e2e3ed9bd7ea77a23f983c71fbed6863319f92d532a74573499203469e83aa0a2e4d7cd356f19e22bf7bf71391e1936ebf861fdad09e40704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9bfa693b7413bd66b7b4debb98a1bec2

SHA1
1263788f62f67bc945a8387dbc0f3fe38b404156

SHA256
68df1ea7a5722f787b94219e547584e881f56fa7d3788520a783af59dbc2a538

SHA512
623a357eb332e7aa98b4fb38e3d8780184fd3937aa619ad08eeaf075abfd12637602a5e15a66b355131dea137735ee52b6ad956466358d36b0e248559d1c43b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a57c08b4e06485e49552b1ed1decfac

SHA1
67b992cfe24875c84897c818191a41a74c7b238c

SHA256
18d3c3e47b9bd787677b80d642e7e8ca68264618fbab393082152fa6515ebb10

SHA512
db612e1dd324383f26ca91fb6c74df6a8dd274f0c55333f3ab723fa6871ce10fbd9a9950bcb3dd365945d688d5b9e240ded21627624261c9b036a54abd5b7931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ef827d731eb2e98dce4aa3beb10e7e0c

SHA1
5d562e70a14388dee366a12327984d7709c95309

SHA256
d6713446dc56ec3a5f479db098fee66664fb32b179e76a201c3029e152a2c5ea

SHA512
24de3d71ead0ced860892c156a8225fe7da6d3274df5d5eac63b5125259e5d11d92c33d160f4170b9135a8f9316cc82bb4d714d982954d260db73f40dd5b885a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c2f8ab985c4d53645384ae7b0db55d8

SHA1
f854cfd317ea6bfaeb9a9a65efeac51ebd8d7235

SHA256
d565737e7a167863e9225f464651665759696194dc56ec5906d3fb05305802d1

SHA512
76f51322d66112587b6cf009020a66269845dd033aa6dd3a080b262f6aa9e5926af77e75d23bfad2ad21b120727d12b8f908c4e1941c0620db3147cf8788fc64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582f87.TMP

Filesize
371B

MD5
ec79eeb10dfbc91d58dc422721028b3a

SHA1
cd7aaa90e3382a2a80c2d149abd2ec48df99043a

SHA256
3137f9fe946e1a365e1b28a68b5c507cd3a48ee141908cd4daddce56220018df

SHA512
8e30adcf17697bf7cf3abdcbf983a36b52a407ad0faee6ce780552388be01a32762644ebd40457ccb8fab8dbe2a5eee568000a65f576df71e54c418fdd1d1df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3c64a6f5e489f1585e2e1a86712653f4

SHA1
9e3b41c22f8fbff0bee80ff5c11b183dabb5ee8f

SHA256
9ed9d26a27593d9ed39f1cabb9417515ef481a1f385b3c27fd21a8e0b1cf30c5

SHA512
c4918d297b1792ab7f577c69d941e4aeb95219d04f5604e49da0343710786c064eb522604d38c2ec56fcabb21dbdaadfd96dbef93edeac42ed7f44f85c67269b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4068cd3327ed850f45ab44e0998b75a

SHA1
4bb2db9a0904907e0607d7a04029896fbae4706d

SHA256
84d6527f1faec80ac7a6b3ae31a2cb20f97bc3fc40e4a9c41064cdce451ccd48

SHA512
f35c8b2b199f37aa1139b95bb30459d040c6fbbef5886c2fa915047942d70e4af39ab445b1c328ab0f698b45c4f0c4f2599e48e9497582e8c00c91a68d9d894d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c367f8674ce8345bb6080d145ee530ee

SHA1
5304a0d32b56e516f8789de44570136bf754bed6

SHA256
e689666823e8959c82171b779761b20e527ffc63969deffbe8e4b67b8ec576c5

SHA512
c3d088128e91f2753847b4d6160de07ff18c7a03aee1f56d47cd869cb86e0a5e1aec6207123b6c6bd80a8a73696d16b092236825d77aff914b7d5272f66d1736

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\CODEX.ini

Filesize
228B

MD5
9a3305686dc02d2a23e3552a275bfd3f

SHA1
8a3e15d45c6bca89cac8c0895d452abc02bf21cc

SHA256
b44a8ab85e537125cedf0ed5c8ddc5efa7eef4549f148d6bf4477d05e079df8c

SHA512
3bad461549bd41b4a371314f75853328c29a6544b58315dcae2bd27bc4ebec099da1b784337e3a823133299a3ba65d9158eaf65fbbe1575fdef04774167f70df

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\CPlay.ini

Filesize
293B

MD5
7cd5412fa012ca8f94a56605f5c7c8e4

SHA1
0f338dfe1c112e88752340d87ffa289edcf03bf6

SHA256
2000839daeeb5800beddafe30df095b79f32e7af1e9c3b08ed8b3ede27420407

SHA512
600833d8351427b0483ef62ce67fcb2189b8dfe557610f08bac9bf4a3b07d9ed1bd397d260330bfb40278b6e58fc606edcca9b19da57b359d82c4d04f7011fe0

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\HOWTOUSE.txt

Filesize
1KB

MD5
bb3d8b729cd7575889cc50c6a754c994

SHA1
ef1ac3fdaf3354fb96bfda456951c4812de5843e

SHA256
fb2691e2f53674a6d1689155317bc50f15484cd35f0561cd02db20d17533937c

SHA512
d7e46c8dcddc4e2c811f5f0d8b9138c0e75fea57d4884f4ea0bbf5d06c9d76cf573fda1c8de5aa648e81f624dea00822a557cc52c0638e28d807c6261f362fbd

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\uplay_r1_loader.dll

Filesize
329KB

MD5
eddbbe03714c5d30ffce07f09bb76d7e

SHA1
981887bdfb03aa58459a662bb3669fb473fc1fbd

SHA256
04dca7ecbed3dc6bb288758e542a5b3a8b612c6626bbc51abe8ea173230f4a1f

SHA512
2fafe9567079a399f94f762b1c635480ede300e53b1863d024bb37b5ab40bf64218ae7189ed42fb7f0a7266fd92458fbf04569a2d32b26ad5343da8adce57356

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\uplay_r1_loader64.cdx

Filesize
540KB

MD5
9d64e0e3a07b6c001ed8f106bff9373c

SHA1
c255915d9d76af364b3c4bfc67f46e3a3f178af4

SHA256
59ed3e8b2174043962359a3d7d76e7b64354427a501f4ba17b3deebadf67648b

SHA512
69a6d53885e02399fffd33f55f21c14798b9d5e61ee241838c296044b66c1ebc92a3e5125a99a4e453d0e576d8d46b81e46f062fe6bee7b83e5e1c9c30a72723

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\uplay_r1_loader64.dll

Filesize
329KB

MD5
db68a475a247e2c31d452478c222a5ac

SHA1
7ecf6c06c883b60e7f1658f24d1f61b4f99cf4d6

SHA256
051316aae5c7c076df5d4489491a5ab760a640ca9723553d45feed12fe6cf99f

SHA512
1a50dc997386b7a190b03b373a3894cef858015dd9ee9d076d53fa76a5c420d9f2550559e4ece983d65ba7c9edaf174376341505a4d99b1eb5a6bd8c3bd2153e

Download Submit
C:\Users\Admin\Downloads\Plazas\LumaPlay\HOWTOUSE.txt

Filesize
560B

MD5
13baa7b61393267b2affc7173c1594f0

SHA1
d09b8e226e3b142a7542c7f0c83c7c4d10b72695

SHA256
630b545cdb77fd8fe3daac4da3dd90d2ac956c9a4cb23484521815279d84d9ed

SHA512
b07aea4fe3a3d8b7f5532a73417d6ebd78c7de22a52c5c9d4e230cb7bafea1c7256783b34b7654fdbe5d1e65fe2c7d9dacf4f19dc192d3144d54708f6391c6af

Download Submit
C:\Users\Admin\Downloads\Plazas\LumaPlay\LumaPlay_x64.exe

Filesize
149KB

MD5
113ab94c75f69258726c91a5a94d95c3

SHA1
3272db5ac69f2cd675b9c377e1b3692ed2016211

SHA256
6ddefd167a478df42f580a762762be0b130aad0544d28152f12c0e0aa793e267

SHA512
5650549e4278f128925061c257cafcdabb5465c81e6a22d8f3935afb92c9cfa7d7b296c5682c802b361f8d60bc891fc2e451130bbbd466965fab17ff58888240

Download Submit
C:\Users\Admin\Downloads\Plazas\PLAZA_NEW\uplay_r1_loader.dll

Filesize
423KB

MD5
ebbf77e67da7441c4619fe1e00fbc40c

SHA1
ffd10ddc7dd63e7cd18ea658d94751d5d167afd2

SHA256
c1508bd4782cc3707017305322684ba59f60fd183ad8c04aeeecabc99a4a5aeb

SHA512
5b36517dbfccc4d4e725eb3f03cf851ecdd9fd72958d4593cc636cbf1b8c8763915b6630dfc5d13d1f20ed81dbe1887c1314bff1bd589c12d344125aff36b5ca

Download Submit
C:\Users\Admin\Downloads\Plazas\Plazas.sfv

Filesize
7KB

MD5
eb939f24ea2fbc32fd11d9757d5e41a9

SHA1
c30103e69fdd74dfdfc21b8f6178cbb4551c8ba4

SHA256
6f14d3bab5f5a827153218d098106da730b6fa7946a03cba7c909716e270f2f3

SHA512
0ec6be4f1dc889816f2a6685f1b07d96de5b78082be249d860c6e24f6bdc6ddfb7bf8ffc4488a7b1dccfac9e463746c19ccf2676de0691bd5b2485359500e9ee

Download Submit
C:\Users\Admin\Downloads\Plazas\Readme.txt

Filesize
131B

MD5
000bd41eeacc71f6ac171903381fa59a

SHA1
f2eaf06e601a65d2d1e123a5fe9228b9eaef622e

SHA256
981bf8cf5636693e3b02c227407cdc1c520b4333d06507d33c2d56540b805ffd

SHA512
e5c3798693948f25b3810c083953d746e50fc64f2de3c5eca2f66fd0ea545eff3c0cc2eb6b42e4d729503cc33915bc1e5b9cffa6941fc3aff3f0b74b84c1da40

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\cream_api.ini

Filesize
1KB

MD5
0e3fbeaa6e089812fd90b1749cffdb25

SHA1
cad098e2a77d39401971ef52774d735459b7ff2a

SHA256
a8019db2b87e4822af7dc3722dfe44eb0fad2a0794b39101b750e3b7effb03e2

SHA512
f331629a0fba524c386c32c7ea54beb3e7db2b83ab8154fcbb2bd64ccbb8c0016906f7affd5192037fced21928f3d81258f5687a64a071a3a1aa96cb62af3745

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\steam_api64.dll

Filesize
697KB

MD5
9ff5374f639aba21ec77932b0b572697

SHA1
bb31b3fbe031e678343f5c525b30ef8f0c410195

SHA256
b69b8ec4d7b9c39c92075f85d7339203ecc45ccbec54703f4e6c0099c0722654

SHA512
1b6f24835c0fa9eebf1480174e7df9b42cbdb55e6bfd0cd1c73a7bbe57b7e7548472db0183fcb861d5e3815d6bd2b6a97e5dcdad6f924bbef33b704d7acd5a90

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\steam_api64_o.dll

Filesize
256KB

MD5
8afde2d19c89d0bf1a9f6ec475aa0ebb

SHA1
7d1453b841dfb1101ab45f63d3b4294b6c5d0cb6

SHA256
473f5a312b56519f347741b63f3dea590946b96ea40ef3803d5f452c39af2f1e

SHA512
4166361eead938b1a01f110ae3acd3660f5123ccf97b4504ed0577b3eedbe57cee5222aef037524de6051a6727c88161a4aa250b4ae60fd84ccfb2591d1b2090

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\uplay_r164_o.dll

Filesize
214KB

MD5
ca26813a9fc019890cfc682c629e7f28

SHA1
8c1d6c644a96ed8838a5ca48cea175317dc49ecc

SHA256
6640492f9467bbe29354e21568201a31734c3a67491e4c5b32cd9c20bdd0db5f

SHA512
ef06c481910614cdc1609457c2e6223d11ca54c6314f16389957bc362867afe1258a4507e681b8e10bfd8d7a4eb78cf76843589c5d6e34a6e6a1dcbb3d224759

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR2_NEW\RainbowSix.bat

Filesize
135B

MD5
47340c7961ec97a68bc52a0f57ded9dd

SHA1
1c4d50de1c7481024a9f654799119a074ee39b4d

SHA256
345f6ce301697aa847cbc95b35d399d6eb5c87ac02fc56399eb3dd69038e2cfa

SHA512
c1115aaa841b4eb4a750f1d92234a0a121f83f46f7be9dec9d348f42c408608e8ef2cd3fe908f9034aba90e5898b30fe35ee717302ef568d588c36433737ea57

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\readme.txt

Filesize
168B

MD5
80c3e5e5f8000b1156d4d0a0ff4dbd0c

SHA1
d83268d25c444ee4e2a5f5241556f8dd72f49492

SHA256
fb3ea9107b276ba7aee29de52cd7e40cfa65170a6b71ac119db7da96ec7dc6b9

SHA512
71ae7eee9a8c9ff0dceac49ab4d9ae573d1c32c01528949c87ec7c53b50c74d9623748d14f765981d12329f37e55283225267c8bcc309a151ad3ca775824e03d

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_api64.dll

Filesize
1.9MB

MD5
37a7e0deae6e7bd1154f8fd059f9a241

SHA1
5787b8db0d0d656d13474cd7d2caf66c443e181c

SHA256
eb9b78ef3c339591c1993c9c364098de386edd391e1169ea0a6daa39ae9735a9

SHA512
6d375c3abceb83a48b277ebafa7da24128fa97cdde7b3f3e89970671582ff3af8a413fead8d074127a97fc34cc423fd218f878ee3a218f6f28be3aededbf83f7

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_appid.txt

Filesize
8B

MD5
1771a9bff4cc257daf7254d6a8957251

SHA1
7e2351512eeba61f6ed5d28ea7cfc3ce122bd0c0

SHA256
fd0e883ed180abbaecc1c0b833ee9c8f26bc842717108e4c4ae6fe4efc5fb190

SHA512
45bf7466683ed7deecaca6cf6875dd4a0f584ce0bb18f7627c4b74b3d6e1dc60966518346779b301d11527d88cda5af53f8a825b991d8cf45296f6fb0ded3348

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_interfaces.txt

Filesize
629B

MD5
cca6bd0fd6345948ead85477cb99cabc

SHA1
b5269252dddeee7c81a15aee1797573b116ebf19

SHA256
b5f59def7c96dc2bf594f4bd2cf6afc99936047287a3083e73360cb04b0d07ed

SHA512
d366000a04b5fd8ea5cc7b2486ee5dd1c419f05e8de7a0f091e632b15dc6172fbb0f074c0aef6d5037567192fc23e12f99a430413ac1b54fc7414f535e7d00f3

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_settings\settings\account_name.txt

Filesize
8B

MD5
7e20d471144b1bff4e1f5d953e05ed15

SHA1
e90ed7a9db5e1d4dd3bc2c23b48aad6594d59d3d

SHA256
ff1eb40ad0e8c5db08556da1e61803e96c88a120c4e88dc430232c5a3d45db57

SHA512
ecc5dd4c6de364f17beeeb0b1845b11fecc6fd98943bd294a7d1de933f3530550fdd9633fc05a8cdd5bbfb97ce1324c42664ebc41d2a66d6f715527900f4376b

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_settings\settings\language.txt

Filesize
7B

MD5
ba0a6ddd94c73698a3658f92ac222f8a

SHA1
1b669334dae8ebafa433f0175b5fd418a7bc0975

SHA256
b6234d2ea0d6022be63db80d7b80e221097fe4a469dc44febcd2a9241effdeba

SHA512
0882b702e0f4c1db1701789796ab1d12d72627811b67299bf36b9b25c29465cc24e72483d171c435368dc9f777837d2bd45ccff293de2207d32ba58a6ac01023

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_settings\settings\listen_port.txt

Filesize
5B

MD5
76bf79e9a0a4c128d97dbd6900773f4b

SHA1
8abb38a924d5bf8a1ee12fe96aa2d2be942704d6

SHA256
45095e3e3f29ea73ffab2e23158b7cd2afa6532004b5a9b6f06d4e5e068a89aa

SHA512
8cd54c07d87c41103d963eb7dfd2642b07bb67ceb731b477fc9cd9b736ab03833dc2e2d0b2eb399002d76d405a20d5816d19d77ef760d7dac0c1a67d80662535

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steamclient64.dll

Filesize
87KB

MD5
4cff480250b8541bdb077f91a89d1cd4

SHA1
a6784b2e7d51eb6add17ba7c9edd6f4c345abcbb

SHA256
1a1399561cfb9dd02ec18cffae62444feee2c818ebc419b8b40f244b9fc4ed2e

SHA512
90b8043428dd9574c0319457f9199beae4fe80490c85817524fe3b98f9a587e13101fe34fbfc64d24f158db61d2726ac35df77b2a9d5a7c0d12e1e9a308a9e5f

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\upc_r2_loader.dll

Filesize
125KB

MD5
43f6c7a25644e2b1f6860519aaaef780

SHA1
3618d1323761fad2075c7ee2af3c451e9eeb2e15

SHA256
8b84e4a64ff67878f2cd3a47fb4a95d45e18687554f3591a0e4bc6b377e92b6f

SHA512
565fff2aad2ee0da907ee50ca52e7abd18c6eb16d083967240261968a86ad4900fe00e64669a9b40eb27d5378775001449fd991a5d3327be6f23ed2819aa1c0e

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\upc_r2_loader64.dll

Filesize
164KB

MD5
4c669990aac12ed5c6b8b93478907bc5

SHA1
5a1f34b48ffc100688f50086be0a87e2eb634fb3

SHA256
a4c0299cfacf1a382312e59771a43c6aa69832bf3c81d52c321929b69bfae4c5

SHA512
da51a8048f7bc78dcc1f85d4c7bec87d271cddb92a8e487de299fad29b5ff61add81e7dfa6f7afecee85333571d2db028f07c8339842104a66f671f3a048221a

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\uplay_r2.ini

Filesize
441B

MD5
9af9308871bbac83d24ba0a42dd66199

SHA1
fd53820d3afe2e0ed8588e506d57ad069f757cbe

SHA256
d8148522681840e15124e7521a657dd7595d228ae5ac7d0aff216afa70c35c27

SHA512
3af3f843e43304cdbc0f512b304247ca8271f2d5f33f2a6d588c7908b4eee6c093f8b43df9a5e116027eeec98abd86b31a15bb0b0f580bdafccb44416813bc2c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 22569.crdownload

Filesize
222KB

MD5
cc64b8581dd8dfee976ac258f5df998c

SHA1
20bd263557a8bf7bbaa90ecaeb60bcb09b79c8ba

SHA256
7b4ced15746973773882579b2740b3f2c6a76e739511f1fa352babc96b08e79f

SHA512
538067f341ea41e2cbbf16d11d4d359be2c4067d3cccbd6a85f8cc5395e6a120f73a26af0e5b303f06eeb7447466696196af9bcd16adac66b321ccb6af163e4a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 417987.crdownload

Filesize
8.3MB

MD5
941c65435261bd8b2e438fe6df8ecbdd

SHA1
18a937803e39d42e6ae8213fc45262860b52233e

SHA256
13800d62cbd2796c73c83dedaeb6795eac7549754e5bd31c515b1f4f00702266

SHA512
d899f27528bac0e8fd41b1ed9e0f9a61610510b616bc5e6a6d743a04bad9a7add2d95ca8bd8859d6f09ed151cdf94129c98c8a298f2b0a598d497fe5d709716b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
9626716309cc5c9102315d1526374d1c

SHA1
885517199bc73d9241e36fa6183868506d3f83b1

SHA256
0d8d676173ae4823ac9fb9a2664799c6757b0de064dabac3315ada8aa2907f87

SHA512
ca5654fcd92abf7edb4097bd336231a5c0ac905320e4f70144f2c3509cfd7c87d8f144c84420e681edbc5157cffbe665c474d51afe38f24545e8d9bb72ffb90d

Download Submit
\??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3e9928e2-1465-4fbe-bb17-b0d988567e57}_OnDiskSnapshotProp

Filesize
6KB

MD5
ba170838f411da378d476874047fbd8a

SHA1
f8ae148f576174fb708005eae59b6b4f7dc1173d

SHA256
812ee9da7289b1d33d72e9bc072a658fff597d15cf890d29a7b2fe3c34abab97

SHA512
e8398a4b1a2e7f31381cfed6e7563ec07f870e33848bf0c52233df75b6aa6416ed08752aaf6c7d63064b8ccab39ed3ed2416e08a1ecf151b6beb2cd20c11b1e1

Download Submit