xenorat | 952da04c25c3e3fe225e909eeead4bc61a2c671fc619994b8ebd18cba8de59d5

Analysis

max time kernel
595s
max time network
600s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-08-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Galaxy Swapper V2.exe
Size

45KB
MD5

5027f040cb7176fda3c545808c10c6ac
SHA1

a46e3b750ccb179bcba01646f36471ad7f04f1cf
SHA256

952da04c25c3e3fe225e909eeead4bc61a2c671fc619994b8ebd18cba8de59d5
SHA512

566416f41b1e1c0b5df6446b8dff8804d106ed58593a3dc3c5907c030932297553e18d3fa4b891e383d66d418f6c3b21db498f422250cd4c9eb01327ecab26c7
SSDEEP

768:hdhO/poiiUcjlJInz0H9Xqk5nWEZ5SbTDaHuI7CPW55:fw+jjgnoH9XqcnW85SbTCuIB

Score

10^/10

xenorat defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xenorat

178.212.32.33

Mutex

Galaxy Swapper V2

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1040	Galaxy Swapper V2.exe
1900	Galaxy+Swapper+V2.exe
4640	Galaxy+Swapper+V2.exe
1424	Galaxy+Swapper+V2.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galaxy+Swapper+V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galaxy+Swapper+V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galaxy Swapper V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galaxy Swapper V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galaxy+Swapper+V2.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe\:Zone.Identifier:$DATA	Galaxy+Swapper+V2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe
Token: SeDebugPrivilege	4740	firefox.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe
4740	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1040	4528	Galaxy Swapper V2.exe	81
PID 4528 wrote to memory of 1040	4528	Galaxy Swapper V2.exe	81
PID 4528 wrote to memory of 1040	4528	Galaxy Swapper V2.exe	81
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 2136 wrote to memory of 4740	2136	firefox.exe	86
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 1684 wrote to memory of 464	1684	firefox.exe	88
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89
PID 4740 wrote to memory of 2792	4740	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper V2.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper V2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00caaf7a-a055-4326-9b96-ab35c6071852} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" gpu
    3⤵
    PID:2792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a770f88-a22a-4a8f-9de2-2dfac59c4c5e} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" socket
    3⤵
    PID:4220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 1652 -prefMapHandle 1648 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9519cd64-3c95-4a48-a33a-720bebcd8261} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
    3⤵
    PID:2268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 1692 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd9095ed-850e-42c9-89ba-b551aa0d7710} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
    3⤵
    PID:1612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4544 -prefMapHandle 4524 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b731794d-6db6-4266-9e39-8acc692991d1} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" utility
    3⤵
    - Checks processor information in registry
    PID:3768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5923071-b137-484b-b19e-529e323bcded} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69d5cc0-d835-4aa4-8ab4-c56d1a5400ae} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 5 -isForBrowser -prefsHandle 5944 -prefMapHandle 5940 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e8f4ef4-6efc-480a-a80f-46266be5b6ce} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
    3⤵
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 6 -isForBrowser -prefsHandle 5656 -prefMapHandle 5876 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c3a5c7-37ee-4a00-9a70-8b67fb4c4c23} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
    3⤵
    PID:5012
- - C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe
    "C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:1900
  - - C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4640
- - C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe
    "C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Galaxy Swapper V2.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
d8e79de03a96917ba64bf79f26a1ad18

SHA1
4aa447053aa1fa7760503683cb540ec2fe19d4d6

SHA256
629b5a51388485911eca98842bf8b0b4eb08a1eab228b0e96892d2e59530c006

SHA512
cca608bba01986237d3832bb450cb21c10d72849cecb03310653ae03907dae4c28005e791d7ae4ad91412148f01f388f58ab34c1a51264420f4da0703ab72973

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
c3f3cc6af3080c173592dda029596bb9

SHA1
3b71fa5d42cf25a9a3c35085267916c6915d2222

SHA256
c5818f2f90b22c9251f9813e0d973d62cd410704aec0e2f7cd08c7e74cb61af3

SHA512
c30d3bc8fda23e10132b42a2a0e9b4414e5c991b6fa7f346ec434f266c04c4230b4cda69500216b0b56ad3bc3a0c0ed10a1d4b968edc55908001dbf2c103e102

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P5EODDS5HDUFE12T1IFP.temp

Filesize
9KB

MD5
732feb2c6d74d7663fbe99d197540d02

SHA1
0fe3be234e4bc63dab0c53467216832951d371e8

SHA256
d2aaa7eb220ce211afe8a9d6e52d307e2776366a976e391d5fbd0fa5c10fb6a6

SHA512
5fca628e07099399ac143255d0c8986f579ed526cb18e36b243ccccf644cf00758b5dd1d00f339335bdbe5cb68de7a679db27a230b22df96413262ea853b75a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

Filesize
10KB

MD5
33711c27fa453ceb904319510bb32271

SHA1
057784a81bae44c1dc5c501801fa16a13f454cd6

SHA256
06f4a8ec5b21a90e5e2f8204c3ab1c0423fcf9a279430045e51a6b7aace199cc

SHA512
a372f83933b144c88ee72cd339dbca6eb8245507a35c513e9ccfd7f02d90e2d395b241ded2659c1afeb371864d16af0cd1649adf3c05e1b78ebf587d83af72d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

Filesize
12KB

MD5
1dfd8bf80d107976012ec063b8ca8ce2

SHA1
acf527f7e6c1c65e47a5af6925b3892c3d23345e

SHA256
ad46acc7f035a5ac747004c1a708ff699cf8b8de1693b5d4bdc72e0f81d5f4d0

SHA512
595d0c696d961da3119fa3da9b7250858aebbbfd85bf7db55b2248cf9f8750adc9ad37261085ebff7a7a14c13a88014dc788c1b7d0a553f9fe533f69300da991

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\bookmarkbackups\bookmarks-2024-08-26_11_atcvlnuPuRmoiHlFCDpsGA==.jsonlz4

Filesize
1008B

MD5
2a21fccb447ae56972c03810ac7fcab6

SHA1
1f7a27ba3cc3729e6b68ce863eb423208d4659af

SHA256
0e33c7fedcd1b09de07f6794caeb772c3864582c0d8c2bf7abe50c219dd0f484

SHA512
43e59bee370ac96f52cc0415e71067c726661847d3082c42923d9eed885f2c86bade732a44dec0cd0945258d3d6ded0af700841651dfde369e22efa067dbb020

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e997fbcf399adf3897b01e9e101e3c62

SHA1
977707fad57ba80d9d5c9f0d8a1c14db0d59e417

SHA256
1f427db7f82f608fca158899d86e22ef2db42cdd42325d09fcb56dce11d57123

SHA512
021f648bfd08e5cec19941ba9014b12a0e3db511dda9471145dcd9fc1d589ebf104c0ff808fb2a4007de3fc6e8cab1f13acf27fcd4fe6a1f4d434f6913d2251f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
34KB

MD5
177ba3a937750a01e86f8a72947a8fb2

SHA1
5045e3610ffb99bea9107543adeb8645c910ce84

SHA256
9f04f4e93b22780a433c06f162677d8eb642be26c9a710886282d2fa339fe153

SHA512
1daebc8507152b53dfec00328c03a27be0555743f07c929824a78e1a0c97d5d62580f8202db11c1b9c198dbd0ad4faf1e08c17faac8fb3b112fc1a54bff1e97e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
963a8d0f0bfeed83065951b8aac24a2c

SHA1
d1e5aa6792aa698df3a2a74e382422989a2f3687

SHA256
05ace64080506e0094bedc9d5d102c807cc0a6f5531d17c0987e007718a3862f

SHA512
c5bf73fd9cc245566effe395abd83f3777e50983a7e933a99213e3cb5e8564c7ed2a6e177acb9024b748ae85faa9b68f653075ff8c1478b0d58b1af73ce8bb91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\6021c5ad-1412-4016-9d12-229d77819cf7

Filesize
26KB

MD5
79a84ebf45d16a31a7afdc63787f6ba9

SHA1
5cd707588cb55a13dd23915649c25f1670d58805

SHA256
c34052ee9793442c306648abb2ed22aa7988971f046e4b14bd77b7a4348dc12e

SHA512
89bf96638d773549f498f06b5c76a7d0edb2d36042888b6cfca172ce765552f8e7460b13d1da51eecb39577aad89fcdca72d8e1fadd6cef77c383f332d3cb36c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\808c1433-0b09-4389-af46-e44135f32da2

Filesize
671B

MD5
8d87cc42c78aa9be5f77584cc59c920a

SHA1
f927a5ffc0f24dad22ca9ad498fd69ba422f7d69

SHA256
a6ef0feda77232a5654b81f0931efb896c8a38c64fb4536236ab1388d5e58c7b

SHA512
a730cf85ccaf0d8d25cf44f8b327c4bdcf2121f94ec27abf8c012a26f577c6c802460cb6cfde6899f3e44b765bf6b7cef40b7219cf8910cda801202aac177feb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\e449f81c-d753-4dea-b2c1-dec00edfea45

Filesize
982B

MD5
4323e9f27983783329fd2c6df8be7ecf

SHA1
ef988f31c91376bef092459505f4c52731a1433e

SHA256
2f0aabb6bccd89f843f630342e5d3e0482e3da9662d34c27271701a555a4299e

SHA512
05fbb46abdcbc2378e3b6b40084f858e9d3293bd4b4a13ff6cbe370f7898e2d56b3d28de2a776bb4edec7621105f9a6da34ed1b4d347ed71b1ba9341ac5540f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

Filesize
12KB

MD5
bb083e7169f9cbeabc840e2070b9b2ec

SHA1
4465b085a35d1d023b516d94e217827648ac3a51

SHA256
c1df5236ba85eed55f88aaffb1f684fdb827aabaf58965596f089baec5d2e3d9

SHA512
d8b694ca5f2c8c23d0a267b65600cb7782e8f75e628404989957bb87e0722c3c8f4bbd6fe48ab1012877ef27834697105bafc466fea3366c64476c609eaac701

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

Filesize
13KB

MD5
3e445f0877c442ebbf55d8e4ec90e39d

SHA1
9c996a52a4ea4a1c94735f4808cf13751dbce973

SHA256
184e37eba0927bddfc877f6334bf9a4f49dff60847132947311fd96cb008c2e2

SHA512
dec2af532c8cb46d0aae944ee445d5f993cc8943c81f7ecaec10a6a2543cb97315b7bec387167e7b9fce4f97f7f8f5c63dd3b592de55882e493d94e9d515ee48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

Filesize
11KB

MD5
bb0209ac30c5c593993800946d3c307f

SHA1
f122c888dbbad3c8c44888a52cb196a8b3bde7ee

SHA256
9a0be1831fc6099949e0e2eb1fd7916f07c6e668258a3ce1f959be4700c70308

SHA512
bcac9da9d7348be197163b45ff5030388fa2988700b72aa49a36c4c6499fb548cf9ad7a54e5225ae01d8f8590a3c829afbc6201c9cc0422666f32112e6c3f900

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs.js

Filesize
10KB

MD5
f57f38285515543cb76a3d432683c1b4

SHA1
ade931fa20159cb7f9868cbcef39b2ca0d7f006e

SHA256
c265da5df07101686873c7847aec499afbc77232069d5dff82623667d5ca2a71

SHA512
4357587b6ea301c8450145e0c210b933163938ac779c3fd45defc9e4b3f526b6a2998f5b150c24f9bfa0ffc5f166f496fb66aa14340b70203ff1d483eb02cf37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs.js

Filesize
10KB

MD5
4cd83a5a29723dcad4d8db612fce910f

SHA1
90dba9adf42349345efcb424dc7b548c70d43c5b

SHA256
bcba24f51c9b5a3c9472a74b0816fa3b8010486f64c1dccf677606540cc6c3b6

SHA512
cd35be77f890ab69f5e34d02132ecab10500344863a32f445a85ce14aac5edc2788739af51278ae24b9356a77b05e722bc05aa8ab0e2e54f406a50b26056802d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
ed2288e61080e384980b1117d7637c75

SHA1
851cc91843fdbd944538e8654273789881530475

SHA256
e45881492cc448bcd358f4ce18c4018bc9004621c0d2457e7cf39a36bed32f27

SHA512
3b56e1df4d2b32155f25b219d4a12b6c881ee49700ecf94672339a33aa72c58cee2c756b0208ae2704f9fd0d4925b2c44c33a508bcb21efa91b2caa59e2563ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
0313450daae9a4ebd2c22a01048d3044

SHA1
ee0dd1b60486c11936df8624de9ab4bcaa2bb892

SHA256
ea1e0a3d111f8bf61c4a9288003a470dab776018b6febb9b5a55450c9029bde8

SHA512
971e393a0fd6b847339f82fe644c890ae11d7d42b21f1089839a0b85840c17b9fd51221525936901d7d6487941b4f7d9c7dbcb4c009bda483d24d29ee29727aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
285d7d6e7aef11ba75a847a13c3b11ed

SHA1
79b6974260c7a73547f5f5b2babdecd61686201b

SHA256
c3ab0562b8bc1c4a1f88f9a62bbc7a7cf9a68157c623f849a5111a3098613826

SHA512
6cbe17bbd7a18056aca49e81f93cc2599fafddcd6b681a8e568b3b018c240fe80a1f75d449d423bcf698eca8ae7811e46b6e6c000e41f3683bf14967c6df0b1e

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe

Filesize
45KB

MD5
5027f040cb7176fda3c545808c10c6ac

SHA1
a46e3b750ccb179bcba01646f36471ad7f04f1cf

SHA256
952da04c25c3e3fe225e909eeead4bc61a2c671fc619994b8ebd18cba8de59d5

SHA512
566416f41b1e1c0b5df6446b8dff8804d106ed58593a3dc3c5907c030932297553e18d3fa4b891e383d66d418f6c3b21db498f422250cd4c9eb01327ecab26c7

Download Submit
C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe:Zone.Identifier

Filesize
168B

MD5
047d7c1d16bc75d007cfc183ff317bec

SHA1
562295b1e314bd9f30daba10be3fa40f3aabb1ee

SHA256
2bc0a00ef40f6f42f6e1fe803ae1ac4dccdee6a4dd2796b7a647f6a235547c51

SHA512
3363f9ee7a7e1180e828128e8cc47e2291adec6b1f6f1065ae048c50772ddea97b1e55d7a37800a28ed92e23e5e2a1250c914ea110c75e9d446e5428cc443f30

Download Submit
memory/1040-314-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/1040-15-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/1900-411-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/1900-443-0x0000000075040000-0x00000000757F1000-memory.dmp

Filesize
7.7MB

Download
memory/4528-0-0x000000007504E000-0x000000007504F000-memory.dmp

Filesize
4KB

Download
memory/4528-1-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download