03eb8137f1276e939f6eff4dbf8b8ef68001c2c245bfbc537347153a2fa9f0ed

Analysis

max time kernel
206s
max time network
222s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Brain.A.zip
Size

286KB
MD5

d233096f5a149aab0322bfd2e72aebb4
SHA1

2059dcd4adda140b042e65b0b0539fa4f27cf141
SHA256

03eb8137f1276e939f6eff4dbf8b8ef68001c2c245bfbc537347153a2fa9f0ed
SHA512

1934513f819cc64411aecf583d079dc02baaffbb3583883cb4bb5c4acf84c56405d3a0addd13186b2ac62a51babe235d47c1315734f10afa2c3800251fbdbca0
SSDEEP

6144:ouoG32n9ddKM2vkm0aWyRv3091vZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vi0Zj33:JoG32n9ddKM2vkm0aWyRv3091vZJT3Cz

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
110	camo.githubusercontent.com
117	raw.githubusercontent.com
118	raw.githubusercontent.com
119	raw.githubusercontent.com
100	camo.githubusercontent.com
105	camo.githubusercontent.com
109	camo.githubusercontent.com
120	raw.githubusercontent.com
103	camo.githubusercontent.com
107	camo.githubusercontent.com
108	camo.githubusercontent.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\Brain.A.zip:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1164 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zG.exe

pid process

1420 7zG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Brain.A.zip:Zone.Identifier	firefox.exe

pid	process
1164	NOTEPAD.EXE

pid	process
1420	7zG.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeDebugPrivilege	2640	firefox.exe
Token: SeRestorePrivilege	1420	7zG.exe
Token: 35	1420	7zG.exe
Token: SeSecurityPrivilege	1420	7zG.exe
Token: SeSecurityPrivilege	1420	7zG.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe7zG.exe

pid process

2640 firefox.exe
2640 firefox.exe
2640 firefox.exe
2640 firefox.exe
1420 7zG.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2640 firefox.exe
2640 firefox.exe
2640 firefox.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

firefox.exe

pid process

2640 firefox.exe
2640 firefox.exe
2640 firefox.exe

pid	process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe
1420	7zG.exe

pid	process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe

pid	process
2640	firefox.exe
2640	firefox.exe
2640	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2604 wrote to memory of 2640	2604	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2516	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2516	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2516	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 2436	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 1656	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 1656	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 1656	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 1656	2640	firefox.exe	firefox.exe
PID 2640 wrote to memory of 1656	2640	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Brain.A.zip
1⤵
PID:2220

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.0.1361807314\553850994" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1188 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb758230-205c-46ea-9040-6c2762defa68} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1284 11fb9058 gpu
    3⤵
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.1.1447810407\2082435966" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7641be-e19f-4621-9f68-4d73c1e1afbf} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1488 e70758 socket
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.2.376217951\827276050" -childID 1 -isForBrowser -prefsHandle 1964 -prefMapHandle 1980 -prefsLen 20933 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d44400c-413a-44e7-9d86-9f7064c34089} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 2224 19f68c58 tab
    3⤵
    PID:1656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.3.1694733760\1972740265" -childID 2 -isForBrowser -prefsHandle 2540 -prefMapHandle 540 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65922f52-17e3-42d6-bdce-41b5a191f3b3} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 1628 e68458 tab
    3⤵
    PID:1948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.4.1566763895\1169853285" -childID 3 -isForBrowser -prefsHandle 2924 -prefMapHandle 2904 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be1b7847-39df-4571-ab6e-29c76b26d735} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 2940 1bc61558 tab
    3⤵
    PID:1060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.5.1676555872\688110987" -childID 4 -isForBrowser -prefsHandle 3708 -prefMapHandle 3728 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f22b8976-e61b-414e-8cc8-ca4771c0872a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 3744 1e08df58 tab
    3⤵
    PID:1896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.6.683797457\91852139" -childID 5 -isForBrowser -prefsHandle 3856 -prefMapHandle 3860 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e0c78f3-74d8-4c83-a80c-66cb99cd543f} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 3840 1e89f158 tab
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.7.1328626641\1417717738" -childID 6 -isForBrowser -prefsHandle 4036 -prefMapHandle 4040 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e9d3fc-ee87-4c58-a6a3-0dc0826c243d} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 4024 1e89e258 tab
    3⤵
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.8.1695784199\188342298" -childID 7 -isForBrowser -prefsHandle 4404 -prefMapHandle 4376 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1791d1f7-839d-42f1-9bdb-529f734aa32d} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 4416 20dc1d58 tab
    3⤵
    PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2640.9.639036362\992154674" -childID 8 -isForBrowser -prefsHandle 3804 -prefMapHandle 1112 -prefsLen 26691 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8bad59e-1d66-45f6-8c70-5ff60d928714} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" 3260 103fad58 tab
    3⤵
    PID:2140

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Brain.A\" -ad -an -ai#7zMap31607:76:7zEvent17981
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Brain.A\Brain.A.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\cache2\doomed\29957

Filesize
9KB

MD5
91a88451fc90b809eeb147442e69986e

SHA1
910db1b527451ad0ebd7f39d30bfde2cfc10bd4a

SHA256
580ccc6e8a64da6c3f9c16e504b23b44bb4461cc310eb4ebfe3cc48019c8b191

SHA512
11970038ff8c4a5a042ca170b33e4a9f73eca0e0112eec7d7c0494c8dcbad5fbb6f5bd6e5763a95009435b4da3f38b70418696daac152afe3117989cbecac6e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gdoevwuq.default-release\jumpListCache\+9IfQtkETCVqkhH9y4NV8g==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ffc652ab8908bffd7955f1c2610f03c3

SHA1
403b44fc0a5b92ec37fd97f9de91f240dca88cbf

SHA256
52e0e257f7e7321c7df4c5b5d0d3972cebc294fab3250bc322f6e55685c201aa

SHA512
eb83e8eb79ed9e593aed14479b027791be0b6ddb79735ebf656c1a8db78c07f502a56ccc750b6605e910ae4289c4e89d8136c6e6f8345a254fc8ac5474d0660b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\24a771b3-a9a0-4853-b98e-db6acd80bc8c

Filesize
855B

MD5
04f599a3d76589e4dd52cb7f30ecdf91

SHA1
22c65a8f57ff765243ffdaaf27055c8987f34be4

SHA256
9cd6efd1c1ecd535a47fbe9dec63067410baad1661a25aca76d327be7d722fba

SHA512
6e302d88d854efc83e9e04007b5e9dd941ccca8ece47d6c9e87c1b0c7d11dff7e7e7e7b70a6a33c385bacd9032f4a45c810e259a354c34a552353372e269ad2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\99b2318a-695a-4582-a33b-c3d04c5fe8e9

Filesize
933B

MD5
6bbbc8bd5d4f53d42dd012445d9b2a50

SHA1
a545ebd9b370e67f92e25af0ad2f1fbd80c15dc4

SHA256
5acc04f936f0bc5a12796d0eedacd3b0d158bf2193dc00ba7817eb8681d15844

SHA512
d07d2c9d80735b820b5c8f9ddb7e8ab9337c167550763f9e012297cacec835a8ef987dd3a7a54288bbd2d43345738cb42c8288666ea774434e0149a8e8e0169e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\a9c15d5e-e130-4a43-b630-551a679edc68

Filesize
12KB

MD5
a6324b03df046ca6a3ff95e6eef69f6e

SHA1
1d772fc50c95b8d732e59eb0de3db0219f0f18c7

SHA256
203c84a538c78de6d7689ac4e59dff2368075837c8ecc3d763e0210820af4d75

SHA512
ba71cce6f687ec9e96feb1e9bbf3c1dc8d14d1bd792bf2cbc46fe14a4658c81bb7dfd2b29530328e576eef8a4af7b7a17cb0846ca0f840e9b3079c55052fc4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\datareporting\glean\pending_pings\ddd59360-5fca-42ac-a111-ebad5aac9a73

Filesize
745B

MD5
c15bd7f4c3be2ba0447678bed8b7da55

SHA1
8d1dba9d2db9dd842751d25cd731b746aaa46421

SHA256
e8c2fd03ded6be3dee16022018182c37e57f6edc439afdbed9918cae2bdd7fb0

SHA512
4e89b261b30616f7249cc473382f9653f00d1f91ce270399bdfc0375081c96b52c1f0ad8298db3d961a96f550440b564c67e9e3360adbcd0e2ebde319d4e80c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs-1.js

Filesize
6KB

MD5
8c69149845eb0ba2b2843534b79d39f3

SHA1
0f38feeffa5cea068518701732f9d7446fa26f70

SHA256
1376066915b45bb6abecfff36f83b48f2ab2d38baa8bd69ddab782a7169ced22

SHA512
7836039bb732f8a0737c814f91a7297b8a052e1d4c17c2367d6323a4e4e9d0fc6b93de2470d35ddacc313bbea0e3080fca045012110b923664ff827f8a8a3e80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs-1.js

Filesize
6KB

MD5
90bf6d6c9170febc2470af74be59662b

SHA1
11b5880597f41fed6bfae92fadf01b2487e6c542

SHA256
c8cd211ad47ea22336a013d4f6e141ab4fc5b9f919cdc9f014e8d0cf2286f742

SHA512
ecb49e9965474af258bd3dfe6aefe73a6e1662f8098843ce548342f3b4e0cf5de5bca7f5b760f5f201134b70ba9cc887df21423e0d4ed35b12c56dd94cfe568e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3e5f514e0631dfcb2338ef0367aee532

SHA1
4db765ed87cb5ae30cdbaa3e406b4270522f0e7b

SHA256
6e6411fe19b18ff4d7e7eb68a57812b3a1db4a8f73fe1a97eff4fc0aab80135f

SHA512
30d83697c0fcfadf6e450ffd12d2dbb16697a2f8b8a9907188cc8a629e970b9898e19c49ae3194d44fab70442d5aeb95a1333c0c0a27e895fa0228234019d186

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
d6ac56cffd06b4f642aeea5cd2fcd5d3

SHA1
b5ac55ed976626373ed4fd9f99dbbc4af577e157

SHA256
61dd7cbe624ddd2251449c71e2aa6ae8b883464aed93fda1b9961e6728a57e1c

SHA512
2b633f2d4bd29cbec8331426e43a78a9945bd072ac2d895c913e8ddbf77445058ec9b9fd6af394595cd1262bb8700e88db5af16bb8169eae77f440dae4d90674

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
05791de0271a2510ec5aeb5ca5323f86

SHA1
31452ad531638883952fd9640793204c356144a3

SHA256
2c782a82df9652287b9ea64ddc3d7ba91259dc5ffed6ad3138a6c98450db703b

SHA512
da81ed9ad3a1e13d6b5df2bef07bd13b5019b875bfea22b0c4ef9ca184538161265a3889d740756bd62aab74c4fb5df42bd9814ebd0234129e7ea0e139004315

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
b32be6e0425d21325cfaae263f88d94b

SHA1
7161b68c18910cd9f5147b3cea6c98ae0351bae6

SHA256
8c172dfca7dd387509e46f8b6e7f8129976a7edb28f217747c67fad06d0bbff6

SHA512
c76d7a8468187aa6b2deae284bb5e827aeccf900d58a6261c7e46f347726503e1ebf67ea7f3a8b7677643e77385565a969452591d6f9c9d3cda6d5b26b0d7165

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
de052c3a6e73bbccce972b9046e37f83

SHA1
c896aacbd4775ab265afe9fc38d80ed85b3d5fbc

SHA256
80913c98cccede95d16565853cc68a0924f519554cac192d7db4b25fe93df024

SHA512
7bf03dad1cc77800f4711504f4b2a2c881c8bd0c1414725b1b66c540f84d2baf0218c3ec2dd977d90f046f5e750ec0d696cc005126cdd46dcd6dd6c76a186288

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
f858ad801c528d28dca27447d85e2423

SHA1
86da51a772da5ffd6cc794d2bda7fd4af68f4991

SHA256
b1c5bda5437e04cb1087bad3fede78de575c4fce0bbbde445e6af44c8b87f11b

SHA512
852c8cadeac13fd4749c16fb2f0366be3cf621bf043731add10d35f7c61914f9c7f3b44f005abdf2cfb04bd83c94a80be2303aef4219af35c82b2a88116d36b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
b84a8d6d9c0593325625dcc6f0c0bc63

SHA1
6b647c08b25f7ca96c1b900782075eafcaac97e7

SHA256
479c709e9a8c1240cddb3f2d74ea7e2292cb2dd2bc96a31a2a3ecf5a3b39d275

SHA512
472cb2c085ecf12f18c864522ce836dad8ffc4e2eafb8ac2720954f02ac55957d2f81bdf655ca6cd728d28cc2bdff6c142dce707869be119a94e5ea33b074a68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
84915a4201d8a8e0564944a76ad800b0

SHA1
898b5b1061e0ab66aaf128107f8ebe071214eae1

SHA256
8fa1acacc57ac6b358b867004a18c6e99ac57069dd50b618689c3c2304ca1a95

SHA512
fbc253aefd6b8977297a5823e6736b68c64b45f0c9c0f4c344d23977ee31e6d798b197ceb4ed2d4dbe7392dc9459b5a8eb3fd20b4d87217f32b755c4afd03a8d

Download Submit
C:\Users\Admin\Desktop\Brain.A\Brain.A.txt

Filesize
2KB

MD5
630a6d7268a23c00ab9af46b5e57c331

SHA1
4395a1070b3c886ba4606ca8748ad3cdb39b22dd

SHA256
7a6a41b23cdab9d3128e7f61b78fbd7b396c2739f3168454f6bfde8068283749

SHA512
1367dc1a77f372dbf979ac77f2cbea65a036f169e17a9bc83cd7e1ef44058328428649595205c09ecb392f1c95ee34749b476515d3f98b628c10a7ca24755b6b

Download Submit
C:\Users\Admin\Downloads\SLCVzl8V.zip.part

Filesize
59KB

MD5
c56f135fdaff397ad207f61b4f2042fe

SHA1
03f1e073761af071d373f025359da84ec39ada19

SHA256
d636ffa6537b80d475731d6878b014a44a390bddc383eea5263a1dad4765f0d2

SHA512
d0cd72274ab23f5369ef9e0bd2f22a097952c3060fdd86991e1ba30cac32c87d053a6703ecf9bcc30e07ffb41efe2e9ccb5b28be987aaf31e629587e1fb85ec2

Download Submit