hxxp://github[.]com/SlejmUr/Manifest_Tool_TB/raw/main/Plazas[.]zip

Resubmissions

04-09-2024 02:38

240904-c43vssvfpb 10

04-09-2024 02:30

240904-czleystdmk 7

Analysis

max time kernel
233s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com/SlejmUr/Manifest_Tool_TB/raw/main/Plazas.zip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
708	quicksfv.exe
3008	quicksfv.exe

Loads dropped DLL 2 IoCs

pid	Process
708	quicksfv.exe
3008	quicksfv.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\QuickSFV\libquicksfv.dll	msiexec.exe
File opened for modification	C:\Program Files\QuickSFV\quicksfv.exe	msiexec.exe
File opened for modification	C:\Program Files\QuickSFV\libquicksfv.dll	msiexec.exe
File created	C:\Program Files\QuickSFV\quicksfv.exe	msiexec.exe
File created	C:\Program Files\QuickSFV\libquicksfv.dll	msiexec.exe
File opened for modification	C:\Program Files\QuickSFV\quicksfv.exe	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{89B56CFC-0270-4ACF-8BF1-048251FD9E08}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A7C.tmp	msiexec.exe
File created	C:\Windows\Installer\e594a01.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5949ff.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e5949ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63BD.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell\open\ = "&Open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.md5	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell\open\command\ = "\"C:\\Program Files\\QuickSFV\\quicksfv.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.sfv	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{03450909-44D4-4C1D-A8B8-57858EA9E72F}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell\open\command\command = 7d00330027003d0054006000580063002600400027005e007d006b00510074007e0053006a0025003e00710065005400650025002c0021005800340029006d002700660034005100690063005f00730051002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell\ = "open"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\DefaultIcon\ = "%APPDATA%\\Microsoft\\Installer\\{89B56CFC-0270-4ACF-8BF1-048251FD9E08}\\_6FEFF9B68218417F98F549.exe,0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.qsfv\File_Verification_Database\ShellNew	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.qsfv	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.qsfv\File_Verification_Database	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.qsfv\ = "File_Verification_Database"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\ = "Verify files within the file verification database"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\File_Verification_Database\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 977360.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3580	NOTEPAD.EXE
1848	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1620	msedge.exe
1620	msedge.exe
4824	msedge.exe
4824	msedge.exe
2020	identity_helper.exe
2020	identity_helper.exe
3852	msedge.exe
3852	msedge.exe
2564	msedge.exe
2564	msedge.exe
1256	msedge.exe
1256	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
2972	msiexec.exe
2972	msiexec.exe
2972	msiexec.exe
2972	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	656	7zG.exe
Token: 35	656	7zG.exe
Token: SeSecurityPrivilege	656	7zG.exe
Token: SeSecurityPrivilege	656	7zG.exe
Token: SeShutdownPrivilege	1236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1236	msiexec.exe
Token: SeSecurityPrivilege	2972	msiexec.exe
Token: SeCreateTokenPrivilege	1236	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1236	msiexec.exe
Token: SeLockMemoryPrivilege	1236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1236	msiexec.exe
Token: SeMachineAccountPrivilege	1236	msiexec.exe
Token: SeTcbPrivilege	1236	msiexec.exe
Token: SeSecurityPrivilege	1236	msiexec.exe
Token: SeTakeOwnershipPrivilege	1236	msiexec.exe
Token: SeLoadDriverPrivilege	1236	msiexec.exe
Token: SeSystemProfilePrivilege	1236	msiexec.exe
Token: SeSystemtimePrivilege	1236	msiexec.exe
Token: SeProfSingleProcessPrivilege	1236	msiexec.exe
Token: SeIncBasePriorityPrivilege	1236	msiexec.exe
Token: SeCreatePagefilePrivilege	1236	msiexec.exe
Token: SeCreatePermanentPrivilege	1236	msiexec.exe
Token: SeBackupPrivilege	1236	msiexec.exe
Token: SeRestorePrivilege	1236	msiexec.exe
Token: SeShutdownPrivilege	1236	msiexec.exe
Token: SeDebugPrivilege	1236	msiexec.exe
Token: SeAuditPrivilege	1236	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1236	msiexec.exe
Token: SeChangeNotifyPrivilege	1236	msiexec.exe
Token: SeRemoteShutdownPrivilege	1236	msiexec.exe
Token: SeUndockPrivilege	1236	msiexec.exe
Token: SeSyncAgentPrivilege	1236	msiexec.exe
Token: SeEnableDelegationPrivilege	1236	msiexec.exe
Token: SeManageVolumePrivilege	1236	msiexec.exe
Token: SeImpersonatePrivilege	1236	msiexec.exe
Token: SeCreateGlobalPrivilege	1236	msiexec.exe
Token: SeBackupPrivilege	2608	vssvc.exe
Token: SeRestorePrivilege	2608	vssvc.exe
Token: SeAuditPrivilege	2608	vssvc.exe
Token: SeBackupPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe
Token: SeTakeOwnershipPrivilege	2972	msiexec.exe
Token: SeRestorePrivilege	2972	msiexec.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
656	7zG.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
1236	msiexec.exe
1236	msiexec.exe
2372	msiexec.exe
2372	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3648	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1972	4824	msedge.exe	85
PID 4824 wrote to memory of 1972	4824	msedge.exe	85
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 3676	4824	msedge.exe	86
PID 4824 wrote to memory of 1620	4824	msedge.exe	87
PID 4824 wrote to memory of 1620	4824	msedge.exe	87
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88
PID 4824 wrote to memory of 3612	4824	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com/SlejmUr/Manifest_Tool_TB/raw/main/Plazas.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42d46f8,0x7ffbd42d4708,0x7ffbd42d4718
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\quicksfv-setup64.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,15633793792805056013,11050408844062831480,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Plazas\" -spe -an -ai#7zMap28899:74:7zEvent6229
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Plazas\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\quicksfv-setup64.msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Program Files\QuickSFV\quicksfv.exe
"C:\Program Files\QuickSFV\quicksfv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:1596

C:\Program Files\QuickSFV\quicksfv.exe
"C:\Program Files\QuickSFV\quicksfv.exe" C:\Users\Admin\Downloads\Plazas\Plazas.sfv
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Plazas\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e594a00.rbs

Filesize
12KB

MD5
8a9c3bff95a6423aca697c31623981b0

SHA1
1b72bbdbe40df4da73ed7fc842b5b776dbb58158

SHA256
e5fc883d1a92e473c110392a78af5051284d8f3965de410fd968b0f52d439afc

SHA512
6920c3230bf8d21ef6c30856e6f4a708fbca85fa36c7a0584a39b77491a4ea69b6429d8ff90880d1c54d36087a681411ba2fc973c55e849fa6c769e526b6a470

Download Submit
C:\Config.Msi\e594a02.rbs

Filesize
10KB

MD5
1631c1174bc820809bf9e3835f8a170d

SHA1
790441e92f269c4dc915079100eaec52eb199f6a

SHA256
e29f000fc2478b643abe60f971a292aa1c241c97ca5f27f25a0d02210d168fda

SHA512
6010a04bf0c8aa56c35788c8d695a43566c546ca671ea1d309804b9d0272c728f66e7eb86ea997eec7883f54ada0ebc767d61d7e89200499283086200e1ac58f

Download Submit
C:\Program Files\QuickSFV\libquicksfv.dll

Filesize
151KB

MD5
967ac5eb28a1fe11ae043f91e9d16c55

SHA1
14f208c09a30e97fd61943da74afcc985893370f

SHA256
e3650113af3391709b4c0dce32df7c1082839b6e84d7c4179ccfa6c3078facad

SHA512
40f051e35d8180ea3c0a7d84cf9c00fc7bebc7a538a831ad2916e42da0aa8258a039b29e42b4edb59b9df1db81edf9679edce4d104532370ab681a837a20d7dc

Download Submit
C:\Program Files\QuickSFV\quicksfv.exe

Filesize
111KB

MD5
62cca2e64dd1122936ffcdb4937026b4

SHA1
35ff94e877c7ea62163ae6969ee48345e2616d99

SHA256
78139c863d31ccfc2faf018ad8c239aeb886766d40923a77a9b7e5142a666e41

SHA512
866139b8401a2434d787fa04db24f0ac68b1aeca57093c281da41357325ab3271fc8ee987c536b93d7563a510b2cb96bc9efbd70d0986ad278ffae4c98cff713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5b9807fa-2abb-4c03-bf10-0341b3755054.tmp

Filesize
5KB

MD5
2cb6712e9686d97f15e8d660ad6c6cfe

SHA1
aeb5d23535425db90af1175f52c7b36dc644428c

SHA256
b51f0e63b15f7bbe0517561594ad3776fc0663d10eb7757e9605e1f08b9e3402

SHA512
88bc055be8ffc6186efd39f042106b3f5794541c32a16d8b761526bcf70a10dacc0ad27f54285bca4687a1b0380a07ee02d2986730a3f254224a30422e9aa948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
471ecd3e19241fb1b2d4edb280866537

SHA1
9ffd5b07ef7e043c9dd881bea2d09b204b3f5b29

SHA256
7e4e16020dbd703cf4aa217ffdc87c1874aa73b937849b5218a404ec5372c88d

SHA512
4cbf93c3c1ae557221999c2ac854b37049a19bf57622b8be714f92cb0a60d6e61ade8ab8d4734d88b1a32bc1eb90ac2bdb318e5f23e6ae94ed419080deed0954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
46f65ee9248a3f13d4900715d529a3d5

SHA1
3fb454f76142b1b1755b45951ea1bfad63cf5d56

SHA256
96a96520294b0360261a9d14229b9c14abfcc9a2c79518766d4e4a274fbf6a8a

SHA512
f58465e6af5ba3d2a8ca74bcbc468515c0ea4fe7d91d21ed69a22e9a0c950ca2664fb3b6510500ad21c1b8b9b4400d6b2dbc166958d1fd22578e83ca1dc9b386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
845d2fc76a69fbc6e75278ba4e29edeb

SHA1
00389f7a5f4f65170416aad3a9f24450d306e8e1

SHA256
86ae0c5cfdc08d46407dc11b7abae3c66b6fd38d78bcfca354d30fdea7be768f

SHA512
14195bd849030ddfb6544d818e062cd7cb973e9298a58a5523fad115966123d136c048e5055ab350f48e67f528305346796fa4fb3b9987ff75433b937a2f34c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
244baa7ccb1c263d1ee518cd5c28f188

SHA1
2f0963093d618ab5ee65fdc7394d3bf8b41a6989

SHA256
ba8e41c687c1d3f2ccec376a97e6f1e74562ffcdf0e5ac2471498c0e0252ffa1

SHA512
53c29a1a312c5db63f195c9d80fc4d0520498bd0d69e05ddc6be88dad8bdc31f154c95a25964c7d13263bd324e5c98a51434d19242f48a5f8a84a9cba1471fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1606cb6a74fef3649e65bd86abae9749

SHA1
f3b989494fc1415406dd82633c836accad559ad0

SHA256
07da3a19191b4304506842430f8052a01e8d38285a4349648346cae56875100a

SHA512
87c7cbf5dcd4bf6f0ca2030a162990ef0bbe9f556a6abb639b40d3e856787c17424ca911a67d42285a53d81b5a464f8fd5dc9d96b5f2bc96ec737cabdf7b901a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36472c0d159dbfed0e91946dda89cb40

SHA1
190f6b40748cbd0c36defc589bbee758633142f3

SHA256
b4bca953c28b8d69da47e8e1d25f22bc49fe0530e0f2754fa53827c47327ab83

SHA512
8e1b70d0c2b9d0a9cfd6606ca08da93cc4296524c4deab3ae4bd284174af4c2b2dd7f6fbb7db8f9745471e9678ee146bc58af19a897aafea98eb151ec74193fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59d4a0ef965fe0b70dacc2b32e81aa29

SHA1
af56271c8dee0b8157588b2009a481cb973c67f0

SHA256
a136402133aa942f1e5bab90be5a5d637094986eb655ffb4fd77f4debccdcd77

SHA512
73523b3541748cc55cac167ff61e56532e26129e05f5dec3028b35c65ba199491460aab2f2148eb1b6800d42d307164a185b25d264f29a47eb6a602b30876ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5897b7.TMP

Filesize
371B

MD5
df15a66884236f15629a2e211b7a5f36

SHA1
53d38702c94c71d0f156c196287696d40a693fe4

SHA256
aa72b1e77201ed47b9fb32d63194b84f4cfdda1879d25e24b0c973d0d02eeabe

SHA512
03c1547ce266701de59e6357a85a2a6750e125e4dcc02c1078555f18e9ebe10434e37a78c2bb992fc01d0f057cdf91cc75f73d5588b504a79655f85f139b1d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
27068ff0e9ad94c034007885ef85b225

SHA1
a86f913668751b71ecb20ac8d03966827ff08085

SHA256
d559c013b7b559f382d18e3433c3d7d01518be3d9db358e1323b714381a55d4c

SHA512
99f468979790c4ec9f3fc51b36ce2c85431ec98ac184872c4df149d2264db2116d8d7688f4e8433e6fff7784b666dad305b512a5fd6e6f447aa1f4d284192a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
466cebbc4a718b5270d716d8a15206f4

SHA1
3b301291b68d554afa0fb915069c0e717bd7ff7a

SHA256
4e80383b12710434c4796f7f21e002f6bf9baf12fec17dfe040990fcaa61ffc0

SHA512
1daf7c8a55888d0f46087e55f736f0f558a3c3bb344743f31170c2d09842a3cdf7f49bb129dae0929fc506e5964db968a5d2bbdc886d887a8b7c3b19d82a7e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
37004c297782f3ffc3559f3e538a2703

SHA1
fbeb4186c8a985af8676821236a23e0ce9a91ad3

SHA256
11c3ac75b96acc129a4a86788954d2ddce9876b5f1d504f22c04a9483800ea16

SHA512
90816e3ea9d589bf48b26a816881a30a091e57e348a40b695d7d3888eac811ae0e0be01c0d9a3377d9867ab9453e0eaadf715077de03d96ed9bbd5704974656c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{89B56CFC-0270-4ACF-8BF1-048251FD9E08}\_6FEFF9B68218417F98F549.exe

Filesize
1KB

MD5
e046ab645ea8327c9093bfe1b2631821

SHA1
31e27273902e2bb0a72cec097ea766c0c58636f4

SHA256
2ae65ffa0fc37ec42d6c5bd9803a0c4fdf3cd007c743f0f0926ddaf7e12596f3

SHA512
2f95dc95a0b13ec0649854955ce5f54c839119f3e7c55d8cbfc604b27ef971152e61fd5bafd44e28454a9f56e1e0aa1f5fd3f4b43c48cb7ba4cf74600f814f22

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\CODEX.ini

Filesize
228B

MD5
9a3305686dc02d2a23e3552a275bfd3f

SHA1
8a3e15d45c6bca89cac8c0895d452abc02bf21cc

SHA256
b44a8ab85e537125cedf0ed5c8ddc5efa7eef4549f148d6bf4477d05e079df8c

SHA512
3bad461549bd41b4a371314f75853328c29a6544b58315dcae2bd27bc4ebec099da1b784337e3a823133299a3ba65d9158eaf65fbbe1575fdef04774167f70df

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\CPlay.ini

Filesize
293B

MD5
7cd5412fa012ca8f94a56605f5c7c8e4

SHA1
0f338dfe1c112e88752340d87ffa289edcf03bf6

SHA256
2000839daeeb5800beddafe30df095b79f32e7af1e9c3b08ed8b3ede27420407

SHA512
600833d8351427b0483ef62ce67fcb2189b8dfe557610f08bac9bf4a3b07d9ed1bd397d260330bfb40278b6e58fc606edcca9b19da57b359d82c4d04f7011fe0

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\HOWTOUSE.txt

Filesize
1KB

MD5
bb3d8b729cd7575889cc50c6a754c994

SHA1
ef1ac3fdaf3354fb96bfda456951c4812de5843e

SHA256
fb2691e2f53674a6d1689155317bc50f15484cd35f0561cd02db20d17533937c

SHA512
d7e46c8dcddc4e2c811f5f0d8b9138c0e75fea57d4884f4ea0bbf5d06c9d76cf573fda1c8de5aa648e81f624dea00822a557cc52c0638e28d807c6261f362fbd

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\uplay_r1_loader.dll

Filesize
329KB

MD5
eddbbe03714c5d30ffce07f09bb76d7e

SHA1
981887bdfb03aa58459a662bb3669fb473fc1fbd

SHA256
04dca7ecbed3dc6bb288758e542a5b3a8b612c6626bbc51abe8ea173230f4a1f

SHA512
2fafe9567079a399f94f762b1c635480ede300e53b1863d024bb37b5ab40bf64218ae7189ed42fb7f0a7266fd92458fbf04569a2d32b26ad5343da8adce57356

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\uplay_r1_loader64.cdx

Filesize
540KB

MD5
9d64e0e3a07b6c001ed8f106bff9373c

SHA1
c255915d9d76af364b3c4bfc67f46e3a3f178af4

SHA256
59ed3e8b2174043962359a3d7d76e7b64354427a501f4ba17b3deebadf67648b

SHA512
69a6d53885e02399fffd33f55f21c14798b9d5e61ee241838c296044b66c1ebc92a3e5125a99a4e453d0e576d8d46b81e46f062fe6bee7b83e5e1c9c30a72723

Download Submit
C:\Users\Admin\Downloads\Plazas\CPlay\uplay_r1_loader64.dll

Filesize
329KB

MD5
db68a475a247e2c31d452478c222a5ac

SHA1
7ecf6c06c883b60e7f1658f24d1f61b4f99cf4d6

SHA256
051316aae5c7c076df5d4489491a5ab760a640ca9723553d45feed12fe6cf99f

SHA512
1a50dc997386b7a190b03b373a3894cef858015dd9ee9d076d53fa76a5c420d9f2550559e4ece983d65ba7c9edaf174376341505a4d99b1eb5a6bd8c3bd2153e

Download Submit
C:\Users\Admin\Downloads\Plazas\PLAZA_NEW\uplay_r1_loader.dll

Filesize
423KB

MD5
ebbf77e67da7441c4619fe1e00fbc40c

SHA1
ffd10ddc7dd63e7cd18ea658d94751d5d167afd2

SHA256
c1508bd4782cc3707017305322684ba59f60fd183ad8c04aeeecabc99a4a5aeb

SHA512
5b36517dbfccc4d4e725eb3f03cf851ecdd9fd72958d4593cc636cbf1b8c8763915b6630dfc5d13d1f20ed81dbe1887c1314bff1bd589c12d344125aff36b5ca

Download Submit
C:\Users\Admin\Downloads\Plazas\Plazas.sfv

Filesize
7KB

MD5
eb939f24ea2fbc32fd11d9757d5e41a9

SHA1
c30103e69fdd74dfdfc21b8f6178cbb4551c8ba4

SHA256
6f14d3bab5f5a827153218d098106da730b6fa7946a03cba7c909716e270f2f3

SHA512
0ec6be4f1dc889816f2a6685f1b07d96de5b78082be249d860c6e24f6bdc6ddfb7bf8ffc4488a7b1dccfac9e463746c19ccf2676de0691bd5b2485359500e9ee

Download Submit
C:\Users\Admin\Downloads\Plazas\Readme.txt

Filesize
131B

MD5
000bd41eeacc71f6ac171903381fa59a

SHA1
f2eaf06e601a65d2d1e123a5fe9228b9eaef622e

SHA256
981bf8cf5636693e3b02c227407cdc1c520b4333d06507d33c2d56540b805ffd

SHA512
e5c3798693948f25b3810c083953d746e50fc64f2de3c5eca2f66fd0ea545eff3c0cc2eb6b42e4d729503cc33915bc1e5b9cffa6941fc3aff3f0b74b84c1da40

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\cream_api.ini

Filesize
1KB

MD5
0e3fbeaa6e089812fd90b1749cffdb25

SHA1
cad098e2a77d39401971ef52774d735459b7ff2a

SHA256
a8019db2b87e4822af7dc3722dfe44eb0fad2a0794b39101b750e3b7effb03e2

SHA512
f331629a0fba524c386c32c7ea54beb3e7db2b83ab8154fcbb2bd64ccbb8c0016906f7affd5192037fced21928f3d81258f5687a64a071a3a1aa96cb62af3745

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\steam_api64.dll

Filesize
697KB

MD5
9ff5374f639aba21ec77932b0b572697

SHA1
bb31b3fbe031e678343f5c525b30ef8f0c410195

SHA256
b69b8ec4d7b9c39c92075f85d7339203ecc45ccbec54703f4e6c0099c0722654

SHA512
1b6f24835c0fa9eebf1480174e7df9b42cbdb55e6bfd0cd1c73a7bbe57b7e7548472db0183fcb861d5e3815d6bd2b6a97e5dcdad6f924bbef33b704d7acd5a90

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\steam_api64_o.dll

Filesize
256KB

MD5
8afde2d19c89d0bf1a9f6ec475aa0ebb

SHA1
7d1453b841dfb1101ab45f63d3b4294b6c5d0cb6

SHA256
473f5a312b56519f347741b63f3dea590946b96ea40ef3803d5f452c39af2f1e

SHA512
4166361eead938b1a01f110ae3acd3660f5123ccf97b4504ed0577b3eedbe57cee5222aef037524de6051a6727c88161a4aa250b4ae60fd84ccfb2591d1b2090

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR1\uplay_r164_o.dll

Filesize
214KB

MD5
ca26813a9fc019890cfc682c629e7f28

SHA1
8c1d6c644a96ed8838a5ca48cea175317dc49ecc

SHA256
6640492f9467bbe29354e21568201a31734c3a67491e4c5b32cd9c20bdd0db5f

SHA512
ef06c481910614cdc1609457c2e6223d11ca54c6314f16389957bc362867afe1258a4507e681b8e10bfd8d7a4eb78cf76843589c5d6e34a6e6a1dcbb3d224759

Download Submit
C:\Users\Admin\Downloads\Plazas\UPCR2_NEW\RainbowSix.bat

Filesize
135B

MD5
47340c7961ec97a68bc52a0f57ded9dd

SHA1
1c4d50de1c7481024a9f654799119a074ee39b4d

SHA256
345f6ce301697aa847cbc95b35d399d6eb5c87ac02fc56399eb3dd69038e2cfa

SHA512
c1115aaa841b4eb4a750f1d92234a0a121f83f46f7be9dec9d348f42c408608e8ef2cd3fe908f9034aba90e5898b30fe35ee717302ef568d588c36433737ea57

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\readme.txt

Filesize
168B

MD5
80c3e5e5f8000b1156d4d0a0ff4dbd0c

SHA1
d83268d25c444ee4e2a5f5241556f8dd72f49492

SHA256
fb3ea9107b276ba7aee29de52cd7e40cfa65170a6b71ac119db7da96ec7dc6b9

SHA512
71ae7eee9a8c9ff0dceac49ab4d9ae573d1c32c01528949c87ec7c53b50c74d9623748d14f765981d12329f37e55283225267c8bcc309a151ad3ca775824e03d

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_api64.dll

Filesize
1.9MB

MD5
37a7e0deae6e7bd1154f8fd059f9a241

SHA1
5787b8db0d0d656d13474cd7d2caf66c443e181c

SHA256
eb9b78ef3c339591c1993c9c364098de386edd391e1169ea0a6daa39ae9735a9

SHA512
6d375c3abceb83a48b277ebafa7da24128fa97cdde7b3f3e89970671582ff3af8a413fead8d074127a97fc34cc423fd218f878ee3a218f6f28be3aededbf83f7

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_appid.txt

Filesize
8B

MD5
1771a9bff4cc257daf7254d6a8957251

SHA1
7e2351512eeba61f6ed5d28ea7cfc3ce122bd0c0

SHA256
fd0e883ed180abbaecc1c0b833ee9c8f26bc842717108e4c4ae6fe4efc5fb190

SHA512
45bf7466683ed7deecaca6cf6875dd4a0f584ce0bb18f7627c4b74b3d6e1dc60966518346779b301d11527d88cda5af53f8a825b991d8cf45296f6fb0ded3348

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_interfaces.txt

Filesize
629B

MD5
cca6bd0fd6345948ead85477cb99cabc

SHA1
b5269252dddeee7c81a15aee1797573b116ebf19

SHA256
b5f59def7c96dc2bf594f4bd2cf6afc99936047287a3083e73360cb04b0d07ed

SHA512
d366000a04b5fd8ea5cc7b2486ee5dd1c419f05e8de7a0f091e632b15dc6172fbb0f074c0aef6d5037567192fc23e12f99a430413ac1b54fc7414f535e7d00f3

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_settings\settings\account_name.txt

Filesize
8B

MD5
7e20d471144b1bff4e1f5d953e05ed15

SHA1
e90ed7a9db5e1d4dd3bc2c23b48aad6594d59d3d

SHA256
ff1eb40ad0e8c5db08556da1e61803e96c88a120c4e88dc430232c5a3d45db57

SHA512
ecc5dd4c6de364f17beeeb0b1845b11fecc6fd98943bd294a7d1de933f3530550fdd9633fc05a8cdd5bbfb97ce1324c42664ebc41d2a66d6f715527900f4376b

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_settings\settings\language.txt

Filesize
7B

MD5
ba0a6ddd94c73698a3658f92ac222f8a

SHA1
1b669334dae8ebafa433f0175b5fd418a7bc0975

SHA256
b6234d2ea0d6022be63db80d7b80e221097fe4a469dc44febcd2a9241effdeba

SHA512
0882b702e0f4c1db1701789796ab1d12d72627811b67299bf36b9b25c29465cc24e72483d171c435368dc9f777837d2bd45ccff293de2207d32ba58a6ac01023

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steam_settings\settings\listen_port.txt

Filesize
5B

MD5
76bf79e9a0a4c128d97dbd6900773f4b

SHA1
8abb38a924d5bf8a1ee12fe96aa2d2be942704d6

SHA256
45095e3e3f29ea73ffab2e23158b7cd2afa6532004b5a9b6f06d4e5e068a89aa

SHA512
8cd54c07d87c41103d963eb7dfd2642b07bb67ceb731b477fc9cd9b736ab03833dc2e2d0b2eb399002d76d405a20d5816d19d77ef760d7dac0c1a67d80662535

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\steamclient64.dll

Filesize
87KB

MD5
4cff480250b8541bdb077f91a89d1cd4

SHA1
a6784b2e7d51eb6add17ba7c9edd6f4c345abcbb

SHA256
1a1399561cfb9dd02ec18cffae62444feee2c818ebc419b8b40f244b9fc4ed2e

SHA512
90b8043428dd9574c0319457f9199beae4fe80490c85817524fe3b98f9a587e13101fe34fbfc64d24f158db61d2726ac35df77b2a9d5a7c0d12e1e9a308a9e5f

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\upc_r2_loader.dll

Filesize
125KB

MD5
43f6c7a25644e2b1f6860519aaaef780

SHA1
3618d1323761fad2075c7ee2af3c451e9eeb2e15

SHA256
8b84e4a64ff67878f2cd3a47fb4a95d45e18687554f3591a0e4bc6b377e92b6f

SHA512
565fff2aad2ee0da907ee50ca52e7abd18c6eb16d083967240261968a86ad4900fe00e64669a9b40eb27d5378775001449fd991a5d3327be6f23ed2819aa1c0e

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\upc_r2_loader64.dll

Filesize
164KB

MD5
4c669990aac12ed5c6b8b93478907bc5

SHA1
5a1f34b48ffc100688f50086be0a87e2eb634fb3

SHA256
a4c0299cfacf1a382312e59771a43c6aa69832bf3c81d52c321929b69bfae4c5

SHA512
da51a8048f7bc78dcc1f85d4c7bec87d271cddb92a8e487de299fad29b5ff61add81e7dfa6f7afecee85333571d2db028f07c8339842104a66f671f3a048221a

Download Submit
C:\Users\Admin\Downloads\Plazas\Y8SX\uplay_r2.ini

Filesize
441B

MD5
9af9308871bbac83d24ba0a42dd66199

SHA1
fd53820d3afe2e0ed8588e506d57ad069f757cbe

SHA256
d8148522681840e15124e7521a657dd7595d228ae5ac7d0aff216afa70c35c27

SHA512
3af3f843e43304cdbc0f512b304247ca8271f2d5f33f2a6d588c7908b4eee6c093f8b43df9a5e116027eeec98abd86b31a15bb0b0f580bdafccb44416813bc2c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 586442.crdownload

Filesize
8.3MB

MD5
941c65435261bd8b2e438fe6df8ecbdd

SHA1
18a937803e39d42e6ae8213fc45262860b52233e

SHA256
13800d62cbd2796c73c83dedaeb6795eac7549754e5bd31c515b1f4f00702266

SHA512
d899f27528bac0e8fd41b1ed9e0f9a61610510b616bc5e6a6d743a04bad9a7add2d95ca8bd8859d6f09ed151cdf94129c98c8a298f2b0a598d497fe5d709716b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 977360.crdownload

Filesize
222KB

MD5
cc64b8581dd8dfee976ac258f5df998c

SHA1
20bd263557a8bf7bbaa90ecaeb60bcb09b79c8ba

SHA256
7b4ced15746973773882579b2740b3f2c6a76e739511f1fa352babc96b08e79f

SHA512
538067f341ea41e2cbbf16d11d4d359be2c4067d3cccbd6a85f8cc5395e6a120f73a26af0e5b303f06eeb7447466696196af9bcd16adac66b321ccb6af163e4a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
cc392e33811e766ceb48c41ad22f23cb

SHA1
eea35248a087b3d89c25482006c86090e072bfb9

SHA256
0348bed6f3b6edffbd26545d698e4a41b1b8fb5717d584409f04426e44aae8bb

SHA512
93578ceff5a1e52d52d013345aff1cad75bd2d8ed728f1aee3907b5f72cc23c522944d3b12b33b215f1cb708dcef5ffb46f39ea475aa4ad76bd047663328b66b

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9d68e72e-364d-4196-8975-c4dc16bf2db8}_OnDiskSnapshotProp

Filesize
6KB

MD5
2991b64f53c62242f98743ed880deffc

SHA1
c4dfd10feac0c6eab141eb0b26033b470919651c

SHA256
0cfb4946a23a4bd76bca4ab434dceba7dc1d1da53bfe5b6535e6df30e71c894f

SHA512
5c2ae71be82c19ab740d07c32829497d1bc36f86dc6787c097fcf9009591fd3e3d0ba53460b9d9d9027c63a3eef35c15d8eb774dca48564c5e07a40acb497d6d

Download Submit