orcus | de0853a9548c4ee17f3f0bab331c38aced7feff18968aa3beb08fa8d3f6eeda4

Analysis

max time kernel
298s
max time network
300s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-01-2025 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

idk.exe
Size

839KB
MD5

50164ef17304f1f7c3629eb91e032d00
SHA1

461db872921ccbb108e0e48ce75c370f420a001c
SHA256

de0853a9548c4ee17f3f0bab331c38aced7feff18968aa3beb08fa8d3f6eeda4
SHA512

355c9337247bcd7831c6576a6725473f21360dcb779313f1082bd59bbc089e4db0f32b8c3fc91efb5f3d76780a48edb84ecc0ac08f3fc43df8983f3b593c2ed3
SSDEEP

24576:SmIS04YNEMuExDiU6E5R9s8xY/2l/detnIbt+rX:xQ4auS+UjfU2TedIbt+r

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

/0.tcp.eu.ngrok.io:17906

Mutex

e98c39aba384472db49598b4cce744af

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/03/2025 22:22:01
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	idk.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	AudioDriver.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	idk.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	idk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	idk.exe
File created	C:\Windows\assembly\Desktop.ini	idk.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	idk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe
2920	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	AudioDriver.exe
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeDebugPrivilege	4344	firefox.exe
Token: SeDebugPrivilege	4344	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
2920	AudioDriver.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2920	AudioDriver.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe
4344	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2920	1312	idk.exe	84
PID 1312 wrote to memory of 2920	1312	idk.exe	84
PID 1312 wrote to memory of 2920	1312	idk.exe	84
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 3516 wrote to memory of 4344	3516	firefox.exe	96
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 1144	4344	firefox.exe	97
PID 4344 wrote to memory of 3484	4344	firefox.exe	98
PID 4344 wrote to memory of 3484	4344	firefox.exe	98
PID 4344 wrote to memory of 3484	4344	firefox.exe	98
PID 4344 wrote to memory of 3484	4344	firefox.exe	98
PID 4344 wrote to memory of 3484	4344	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\idk.exe
"C:\Users\Admin\AppData\Local\Temp\idk.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55269abf-ddf1-4261-9358-03e44061d4ee} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" gpu
    3⤵
    PID:1144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2340 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75c94288-69bd-4f35-a90c-fc3671b8e396} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" socket
    3⤵
    PID:3484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1392 -childID 1 -isForBrowser -prefsHandle 1528 -prefMapHandle 2900 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af4dc026-dd45-4614-8bf2-aa489affb3df} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed41d65f-844b-463b-a7fb-dff305c84d2f} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4820 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f36297a-80cf-4b7c-859e-387426edaee4} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" utility
    3⤵
    - Checks processor information in registry
    PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62bec9d2-169a-4a0b-b5ab-a940b40b62fe} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
    3⤵
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5356 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6224437b-5211-4161-a085-0f697e05f682} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {133b4695-7d58-4e3b-a2a9-d804a300e533} 4344 "\\.\pipe\gecko-crash-server-pipe.4344" tab
    3⤵
    PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9enwga8g.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
1411eb4dadc6f942320e5dc2756f627b

SHA1
5ba52d4dc0ea857a5354b38b25d134ff82029e98

SHA256
fa4e593e255b5d1522f65730d1c8e4d2ce0b6cece88739eddbc45287dac94b3a

SHA512
928d0637844a6f24b05669fdb290cfc5b0c0bebbe6c9bcedfda708ae9528efe5aa1e08bd7b65d31205fbf823abdec1a2337a2b0680b62057102a9e0bcd4ac9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
839KB

MD5
50164ef17304f1f7c3629eb91e032d00

SHA1
461db872921ccbb108e0e48ce75c370f420a001c

SHA256
de0853a9548c4ee17f3f0bab331c38aced7feff18968aa3beb08fa8d3f6eeda4

SHA512
355c9337247bcd7831c6576a6725473f21360dcb779313f1082bd59bbc089e4db0f32b8c3fc91efb5f3d76780a48edb84ecc0ac08f3fc43df8983f3b593c2ed3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\AlternateServices.bin

Filesize
8KB

MD5
28da6e974648b66fdc5e47599fd88796

SHA1
76383c4c763582b5081b99582143922cff5387a8

SHA256
0289132300a4507ec937db8542dfb2b18c75770f6f04865da96b03ca83ce0d27

SHA512
945ae576ed7ec6e5b82b02e1018ccf7f51e629d42bf8a84dd6d6540e7d33f38ac7fcebadf2505a3317d7d592c3f04e8c27fadaff69db547beb5e5c8c7fdcfb35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
be85ad15f3b01d95452b29328d767921

SHA1
9018c2a26277c9729a0fb37f3884c9505ed824e1

SHA256
7450b5b00a6eec2646ca9118d80a1043bd87483bb565a0c60a1a8d5d34de24f6

SHA512
eca19ba5d35dd2e87521e41c72b0e083d73db5f4be64d23a8b0eb34679f1791b81436076ab4e1ea7adf3fa11dc60ee96cb836ef748a006cf3c74230c0e389f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1864c8d93b1eeba2d5c553f39aee2033

SHA1
65dd14e78bcc2d8f86dee1b060be8a72974abebd

SHA256
e7dff13f5fd1b79d8f4569605ba23b6a0708adb73e4bc9011b50a6e13211642b

SHA512
b0bf88eed351da14f2cc2f1ecfd406b5f6899f63225bf3c740ac371673b0f92339f623ba48029f38e319a53cc043fd2faf6ebc3c9c547aada1c23243c6e8383f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
1293f6a8fef8bf4646cf646d974a5806

SHA1
1e3abd5df7e29c21eaec0909d4f8f52f41801dc0

SHA256
a252b5b17e98d48911371d45a46b86ec514e23c9ec1770d1633b4e642e7bd03e

SHA512
ab4faf8f369741db78315d70f8f772906d9507ab163e4109fcb05a24710c59e2184fbd1055f95aa28937bfea852a94e736285fc02ffc411eafb737559622a488

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\03fcbab2-8913-49eb-bf1c-d256a20f7dc1

Filesize
982B

MD5
de293751c6528ae3050b861f7f678d92

SHA1
0cbdfd9b9a080b9f8372c1fe66d0cea4a6931a5c

SHA256
532f5a7b8bbd98efa6745966e10057c4801312c3d508994f02d2b87b4107941d

SHA512
c2ac64791f42f53df2b46aae7925396493b9dec49ccf636392218de639986301962b4804cfe00d07dd5228c818a428a6ed316454ce09fbaa94b6588587242064

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\1a7bde19-aeea-4c54-975e-29e9e42994a9

Filesize
26KB

MD5
8225832d1ac22f971b7f4b8ba061c775

SHA1
02720cda23c129e16f79bd326173bc9c2dbfdaa4

SHA256
4b3f5366a58d7b370df66eb9a87e7577f3bfdba34d219845152b5d037ddce1bd

SHA512
57d54c6b86696ddef4cea54e075ca3ba4752be3289b864267ede8ab119b2b67d61ffcc6c1e7eac8b2af0ed2619dddb2518a2e8e7d868442d84d6ab2631d5a2e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\3efc56e1-cfd6-4a81-8ce7-5ec5b065248a

Filesize
671B

MD5
051f231f6ea5cd5e17087727e668553e

SHA1
e2418a3b664d9227ba686ae05615dff6ee282bfa

SHA256
7ed6aee54de5ad0e4da6a2e545d05639498a09c96a5734d3107a7eeee1b4cb5a

SHA512
ba33b505477877945d78c3f9fe4e8124f3192d4572f6357ac15e737df0c97a1383ecd7000064b966c7ad7fa63cf6f1c0bb95542bc7ee25eb65f49d50cb513f24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs-1.js

Filesize
10KB

MD5
9d0081ae236de18413f01032af36270e

SHA1
11d9ee457c35063b1e130225c0b17a2c2d08de10

SHA256
c4c759300efe24cb7d87eba1a88b92052616a57f6adaa7cae63bbee5c9173dcd

SHA512
f94952fa4b58991d2d9e21a858af18950009c97c9f7a49cd5a5895a5840300da90d9e6b9aedfb34e9550b8f02bd45a9d1d2faf4b91fcf395040a1e49ac65e9fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
fed37409b08748269bf19a8ebbd3d95c

SHA1
bd175870c8b4e2a49beec370e54248d84c899f80

SHA256
81a67216ce78437507f5c67e3d26039c56882fa5df261e2f215b35a0a0624525

SHA512
0d2a398d5bd8cdd687fac5f79c4e62ad83ea6571a8b444e9a4f68a9510dd226334d72a8345b0d7c7f0264a820fc5ea965ba6c3734c90e0918b9da2c4e45d6d1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
b9f26d6295c2fd5cbb505e550a77edf0

SHA1
2edcb957f31ebb4d69ffd9a57b539b3fa674ea72

SHA256
f346da82201456f9225fc3321180fc79d8d1adafb59a9a8140c029e2e2369933

SHA512
61e0a2591083e57e3cd887fc9fe9bd476d6604a87c6d73e155610aa20975db8965c56bb2ce9e267589651c9931f0f22a1893d03ad94a55eacf8927a25b9f7b95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bc90993fb7fe33b6faf01e76b32fb1eb

SHA1
06f74c5784077c8f5473368c3a5f3acfc3d52e4d

SHA256
121766c7078986d371390c3424b77273ca30a4b786d0f9027fdff11ff2689618

SHA512
1229ab656669bbcb3a7a6ae69be72e26c517a0b0703e6db7c025f43d0262492fae279d532209e40af89fdf03aa91d1cd151d65b56700b4015e9404bc0b9da98c

Download Submit
memory/1312-0-0x0000000074ED2000-0x0000000074ED3000-memory.dmp

Filesize
4KB

Download
memory/1312-1-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/1312-2-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/1312-7-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/2920-10-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/2920-8-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/2920-9-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/2920-11-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download