blackmatter | c644cbce9a802252e9021e43959a90015538f3e8e40cbe87a518b9458389c4a8

Resubmissions

25-06-2024 15:43

240625-s6cz6a1gnj 10

25-06-2024 15:17

240625-sn4p6axdma 10

Analysis

max time kernel
72s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Size

79KB
MD5

62a1b4d4b461f4eaae91c70727f71604
SHA1

1ced9a7e62aa65faa03eb1ad2bc786e9d9b5f6c2
SHA256

706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
SHA512

d14f989f5f54663c3ea63526a000e8db5d172046e37f412ed47cd31eb14db071b515b854bbb3ab3d2f41f936b6962583aaa0b3ef1236aa2506148813f66ad542
SSDEEP

1536:DnICS4ArFnRoHhcVyid9EZZoi+zQ95f8IwdON:QZnmqVyq9EN+M95bwE

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

F:\SLV3R0d3t.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What data stolen? From your network was stolen 1000 GB of data. If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media. Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX >> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/72oJjilhMD/6d067a8741848166fa2ac1e69472280c

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/X3452I2VDTHM30QX

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Renames multiple (165) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\SLV3R0d3t.bmp"	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\SLV3R0d3t.bmp"	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "10"	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3264	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeBackupPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeDebugPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: 36	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeImpersonatePrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeIncBasePriorityPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeIncreaseQuotaPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: 33	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeManageVolumePrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeProfSingleProcessPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeRestorePrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeSecurityPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeSystemProfilePrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeTakeOwnershipPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeShutdownPrivilege	2652	706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
Token: SeBackupPrivilege	2604	vssvc.exe
Token: SeRestorePrivilege	2604	vssvc.exe
Token: SeAuditPrivilege	2604	vssvc.exe
Token: SeDebugPrivilege	2120	firefox.exe
Token: SeDebugPrivilege	2120	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2120	firefox.exe
2120	firefox.exe
2120	firefox.exe
2120	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2120	firefox.exe
2120	firefox.exe
2120	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1076	OpenWith.exe
2120	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 4928 wrote to memory of 2120	4928	firefox.exe	96
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 2924	2120	firefox.exe	97
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98
PID 2120 wrote to memory of 5020	2120	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe
"C:\Users\Admin\AppData\Local\Temp\706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.0.390266594\2101676216" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f450f3f0-6419-44f9-b643-e03ed6e0c9dd} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 1900 2777c7ef058 gpu
    3⤵
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.1.751234735\2103212124" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a003fba0-cc5f-4a20-bbec-bd8d2ed9b95c} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 2468 27770a8ab58 socket
    3⤵
    - Checks processor information in registry
    PID:5020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.2.713301921\711438345" -childID 1 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbfba88f-f118-4460-bc75-78c305d9eadc} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 3516 27702230e58 tab
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.3.890231484\1695232" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2b9b100-e2be-4a41-940e-a7ea6fe4d047} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 3088 27703efbc58 tab
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.4.1562009968\1581556991" -childID 3 -isForBrowser -prefsHandle 5084 -prefMapHandle 5068 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fcc78d4-b9e9-4190-a830-6ae40459f180} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 5116 27706104458 tab
    3⤵
    PID:4928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.5.120821304\773271673" -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b83906c-3e61-4abd-83da-33856da5f225} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 5252 27706ac6258 tab
    3⤵
    PID:996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.6.243435039\73828713" -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5244 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c7018ed-5cd3-4943-b1d4-58ab01874edb} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 5460 27706ac7458 tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2120.7.1677526732\1975066979" -childID 6 -isForBrowser -prefsHandle 5924 -prefMapHandle 5920 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fc2b373-d485-49d6-bda4-f015c8edf7c6} 2120 "\\.\pipe\gecko-crash-server-pipe.2120" 5936 2770866d958 tab
    3⤵
    PID:3552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2580

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\SLV3R0d3t.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
9bcfac765fc74b907340aeedf2665fed

SHA1
e6d966f92b40e20709db9caf788d006eb44deda1

SHA256
b6deebe66f4d02111ed5686dcb753a81a89fc6f0f205d97a302fc7bcc5c5b1b5

SHA512
8c3b7ffd150b7b64b471867fea8dc0a42c1b079844c7ba97d2fd3ce05b477b7a4dd33db3165bc98f942a77d37c2633f418751bd67194ac4a1a9ac647337519bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
6KB

MD5
11700375fe1e34f0fb75487bd065baef

SHA1
1609d70dc44660285bc4812563f0e7a528e670de

SHA256
52a467a187eb4f1e750367d559d02339796818c3761ce42db88652b839416520

SHA512
4ead975c3d9eff801cc6f689132b1bfd8d615dc33cd763430902df07fc5817f4cfaaf3574bb1707c1217e53266aac31c70b7b815dd4e93cca84db0de38d4ffaa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
b096a0cd684545f5f6eb4ef65ff937e7

SHA1
b02b8d62a34310f60869e3ce955241bece4c810a

SHA256
b8eabb228ac3d44e0cf2b10e1b6f2294b5d6cf215e1eba7176cd64b4fe15c736

SHA512
8250682aad9c3a42b0ff505ddd8f1acd0fa797d9e7c8cac47b1746ec7ac7fe97f9094abd9dc8ee6831ceb8b206d6a481b049665654c63de92a4cacf371c9ba9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
308f50a24038b071f66db691bf0c3e3b

SHA1
89bedd627ee2c46cd28fb3552747b3556403b6d1

SHA256
495d166f4f57f716ec84e61318e1966845b075ab44cb88f7b8b4a8a867f623a5

SHA512
679835f2d03fd71e21fc204530d6dac0306bbc95fa47a74a2ff6546d764ad9b9c4b593c2d59bff72bb17cc712e1bc2fd45aa8bcdf82dcea419d9f971ac305d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
ac00157ac293d8bed87680352dbf820a

SHA1
d0ca3dd3bac5cf7a75c1ff883e6bd0a4783f5995

SHA256
4d5eb90affec601acaf76e6209efd8ddb4cae39bf7461048387d5ebdf53d3c5c

SHA512
331782195fd488207b36bce4329126aeda3cda8d1f483474da65eccad0a3128e629f8ab38906c4087b6554cc3276c0ddc9f42cd4b2a50cefaf9f07f84f50d5ec

Download Submit
F:\SLV3R0d3t.README.txt

Filesize
1KB

MD5
1ba53a2b703aeb54647185c18cc1ddbd

SHA1
0bf081ef67e7c9fb4e55c53f56aa332a17740a7a

SHA256
74e29716d6211d4c26ab0c3184affef6f275bfbfab2ec4dd4fb776fb76065173

SHA512
15f7a5870ad2decf6b09c56a6b5e3f5803e5071749fd4638470c19e02ef1fd0c4438e8f7e62a9f7b8792cd1893e748def44a0a8026f10c4a0268feecae9cf617

Download Submit
memory/2652-0-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2652-1-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2652-268-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/2652-269-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download