Analysis Overview
SHA256
952da04c25c3e3fe225e909eeead4bc61a2c671fc619994b8ebd18cba8de59d5
Threat Level: Known bad
The file Galaxy Swapper V2.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Xenorat family
Downloads MZ/PE file
Executes dropped EXE
Subvert Trust Controls: Mark-of-the-Web Bypass
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
NTFS ADS
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-26 11:00
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-26 11:00
Reported
2024-08-26 11:10
Platform
win11-20240802-en
Max time kernel
595s
Max time network
600s
Command Line
Signatures
XenorRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper V2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe\:Zone.Identifier:$DATA | C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper V2.exe
"C:\Users\Admin\AppData\Local\Temp\Galaxy Swapper V2.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00caaf7a-a055-4326-9b96-ab35c6071852} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a770f88-a22a-4a8f-9de2-2dfac59c4c5e} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 1652 -prefMapHandle 1648 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9519cd64-3c95-4a48-a33a-720bebcd8261} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 1692 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd9095ed-850e-42c9-89ba-b551aa0d7710} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4544 -prefMapHandle 4524 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b731794d-6db6-4266-9e39-8acc692991d1} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 3 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5923071-b137-484b-b19e-529e323bcded} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c69d5cc0-d835-4aa4-8ab4-c56d1a5400ae} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 5 -isForBrowser -prefsHandle 5944 -prefMapHandle 5940 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e8f4ef4-6efc-480a-a80f-46266be5b6ce} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 6 -isForBrowser -prefsHandle 5656 -prefMapHandle 5876 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c3a5c7-37ee-4a00-9a70-8b67fb4c4c23} 4740 "\\.\pipe\gecko-crash-server-pipe.4740" tab
C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe
"C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy+Swapper+V2.exe"
C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe
"C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| N/A | 127.0.0.1:49761 | tcp | |
| US | 8.8.8.8:53 | 47.249.226.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| N/A | 127.0.0.1:49768 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| FR | 45.112.123.126:80 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | udp |
| NL | 178.212.32.33:4444 | tcp | |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | tcp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| FR | 216.58.214.174:443 | redirector.gvt1.com | udp |
| NL | 172.217.132.38:443 | r1---sn-5hne6nsk.gvt1.com | tcp |
| US | 8.8.8.8:53 | 155.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.132.217.172.in-addr.arpa | udp |
| NL | 172.217.132.38:443 | r1---sn-5hne6nsk.gvt1.com | udp |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp | |
| NL | 178.212.32.33:4444 | tcp |
Files
memory/4528-0-0x000000007504E000-0x000000007504F000-memory.dmp
memory/4528-1-0x0000000000640000-0x0000000000652000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\Galaxy Swapper V2.exe
| MD5 | 5027f040cb7176fda3c545808c10c6ac |
| SHA1 | a46e3b750ccb179bcba01646f36471ad7f04f1cf |
| SHA256 | 952da04c25c3e3fe225e909eeead4bc61a2c671fc619994b8ebd18cba8de59d5 |
| SHA512 | 566416f41b1e1c0b5df6446b8dff8804d106ed58593a3dc3c5907c030932297553e18d3fa4b891e383d66d418f6c3b21db498f422250cd4c9eb01327ecab26c7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Galaxy Swapper V2.exe.log
| MD5 | 1294de804ea5400409324a82fdc7ec59 |
| SHA1 | 9a39506bc6cadf99c1f2129265b610c69d1518f7 |
| SHA256 | 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0 |
| SHA512 | 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1 |
memory/1040-15-0x0000000075040000-0x00000000757F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\e449f81c-d753-4dea-b2c1-dec00edfea45
| MD5 | 4323e9f27983783329fd2c6df8be7ecf |
| SHA1 | ef988f31c91376bef092459505f4c52731a1433e |
| SHA256 | 2f0aabb6bccd89f843f630342e5d3e0482e3da9662d34c27271701a555a4299e |
| SHA512 | 05fbb46abdcbc2378e3b6b40084f858e9d3293bd4b4a13ff6cbe370f7898e2d56b3d28de2a776bb4edec7621105f9a6da34ed1b4d347ed71b1ba9341ac5540f0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\808c1433-0b09-4389-af46-e44135f32da2
| MD5 | 8d87cc42c78aa9be5f77584cc59c920a |
| SHA1 | f927a5ffc0f24dad22ca9ad498fd69ba422f7d69 |
| SHA256 | a6ef0feda77232a5654b81f0931efb896c8a38c64fb4536236ab1388d5e58c7b |
| SHA512 | a730cf85ccaf0d8d25cf44f8b327c4bdcf2121f94ec27abf8c012a26f577c6c802460cb6cfde6899f3e44b765bf6b7cef40b7219cf8910cda801202aac177feb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\6021c5ad-1412-4016-9d12-229d77819cf7
| MD5 | 79a84ebf45d16a31a7afdc63787f6ba9 |
| SHA1 | 5cd707588cb55a13dd23915649c25f1670d58805 |
| SHA256 | c34052ee9793442c306648abb2ed22aa7988971f046e4b14bd77b7a4348dc12e |
| SHA512 | 89bf96638d773549f498f06b5c76a7d0edb2d36042888b6cfca172ce765552f8e7460b13d1da51eecb39577aad89fcdca72d8e1fadd6cef77c383f332d3cb36c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 963a8d0f0bfeed83065951b8aac24a2c |
| SHA1 | d1e5aa6792aa698df3a2a74e382422989a2f3687 |
| SHA256 | 05ace64080506e0094bedc9d5d102c807cc0a6f5531d17c0987e007718a3862f |
| SHA512 | c5bf73fd9cc245566effe395abd83f3777e50983a7e933a99213e3cb5e8564c7ed2a6e177acb9024b748ae85faa9b68f653075ff8c1478b0d58b1af73ce8bb91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | e997fbcf399adf3897b01e9e101e3c62 |
| SHA1 | 977707fad57ba80d9d5c9f0d8a1c14db0d59e417 |
| SHA256 | 1f427db7f82f608fca158899d86e22ef2db42cdd42325d09fcb56dce11d57123 |
| SHA512 | 021f648bfd08e5cec19941ba9014b12a0e3db511dda9471145dcd9fc1d589ebf104c0ff808fb2a4007de3fc6e8cab1f13acf27fcd4fe6a1f4d434f6913d2251f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs.js
| MD5 | f57f38285515543cb76a3d432683c1b4 |
| SHA1 | ade931fa20159cb7f9868cbcef39b2ca0d7f006e |
| SHA256 | c265da5df07101686873c7847aec499afbc77232069d5dff82623667d5ca2a71 |
| SHA512 | 4357587b6ea301c8450145e0c210b933163938ac779c3fd45defc9e4b3f526b6a2998f5b150c24f9bfa0ffc5f166f496fb66aa14340b70203ff1d483eb02cf37 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs.js
| MD5 | 4cd83a5a29723dcad4d8db612fce910f |
| SHA1 | 90dba9adf42349345efcb424dc7b548c70d43c5b |
| SHA256 | bcba24f51c9b5a3c9472a74b0816fa3b8010486f64c1dccf677606540cc6c3b6 |
| SHA512 | cd35be77f890ab69f5e34d02132ecab10500344863a32f445a85ce14aac5edc2788739af51278ae24b9356a77b05e722bc05aa8ab0e2e54f406a50b26056802d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\activity-stream.discovery_stream.json
| MD5 | d8e79de03a96917ba64bf79f26a1ad18 |
| SHA1 | 4aa447053aa1fa7760503683cb540ec2fe19d4d6 |
| SHA256 | 629b5a51388485911eca98842bf8b0b4eb08a1eab228b0e96892d2e59530c006 |
| SHA512 | cca608bba01986237d3832bb450cb21c10d72849cecb03310653ae03907dae4c28005e791d7ae4ad91412148f01f388f58ab34c1a51264420f4da0703ab72973 |
memory/1040-314-0x0000000075040000-0x00000000757F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
| MD5 | 33711c27fa453ceb904319510bb32271 |
| SHA1 | 057784a81bae44c1dc5c501801fa16a13f454cd6 |
| SHA256 | 06f4a8ec5b21a90e5e2f8204c3ab1c0423fcf9a279430045e51a6b7aace199cc |
| SHA512 | a372f83933b144c88ee72cd339dbca6eb8245507a35c513e9ccfd7f02d90e2d395b241ded2659c1afeb371864d16af0cd1649adf3c05e1b78ebf587d83af72d5 |
C:\Users\Admin\Downloads\Galaxy+Swapper+V2.exe:Zone.Identifier
| MD5 | 047d7c1d16bc75d007cfc183ff317bec |
| SHA1 | 562295b1e314bd9f30daba10be3fa40f3aabb1ee |
| SHA256 | 2bc0a00ef40f6f42f6e1fe803ae1ac4dccdee6a4dd2796b7a647f6a235547c51 |
| SHA512 | 3363f9ee7a7e1180e828128e8cc47e2291adec6b1f6f1065ae048c50772ddea97b1e55d7a37800a28ed92e23e5e2a1250c914ea110c75e9d446e5428cc443f30 |
memory/1900-411-0x0000000075040000-0x00000000757F1000-memory.dmp
memory/1900-443-0x0000000075040000-0x00000000757F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4
| MD5 | ed2288e61080e384980b1117d7637c75 |
| SHA1 | 851cc91843fdbd944538e8654273789881530475 |
| SHA256 | e45881492cc448bcd358f4ce18c4018bc9004621c0d2457e7cf39a36bed32f27 |
| SHA512 | 3b56e1df4d2b32155f25b219d4a12b6c881ee49700ecf94672339a33aa72c58cee2c756b0208ae2704f9fd0d4925b2c44c33a508bcb21efa91b2caa59e2563ce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js
| MD5 | bb0209ac30c5c593993800946d3c307f |
| SHA1 | f122c888dbbad3c8c44888a52cb196a8b3bde7ee |
| SHA256 | 9a0be1831fc6099949e0e2eb1fd7916f07c6e668258a3ce1f959be4700c70308 |
| SHA512 | bcac9da9d7348be197163b45ff5030388fa2988700b72aa49a36c4c6499fb548cf9ad7a54e5225ae01d8f8590a3c829afbc6201c9cc0422666f32112e6c3f900 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
| MD5 | 1dfd8bf80d107976012ec063b8ca8ce2 |
| SHA1 | acf527f7e6c1c65e47a5af6925b3892c3d23345e |
| SHA256 | ad46acc7f035a5ac747004c1a708ff699cf8b8de1693b5d4bdc72e0f81d5f4d0 |
| SHA512 | 595d0c696d961da3119fa3da9b7250858aebbbfd85bf7db55b2248cf9f8750adc9ad37261085ebff7a7a14c13a88014dc788c1b7d0a553f9fe533f69300da991 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js
| MD5 | bb083e7169f9cbeabc840e2070b9b2ec |
| SHA1 | 4465b085a35d1d023b516d94e217827648ac3a51 |
| SHA256 | c1df5236ba85eed55f88aaffb1f684fdb827aabaf58965596f089baec5d2e3d9 |
| SHA512 | d8b694ca5f2c8c23d0a267b65600cb7782e8f75e628404989957bb87e0722c3c8f4bbd6fe48ab1012877ef27834697105bafc466fea3366c64476c609eaac701 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 0313450daae9a4ebd2c22a01048d3044 |
| SHA1 | ee0dd1b60486c11936df8624de9ab4bcaa2bb892 |
| SHA256 | ea1e0a3d111f8bf61c4a9288003a470dab776018b6febb9b5a55450c9029bde8 |
| SHA512 | 971e393a0fd6b847339f82fe644c890ae11d7d42b21f1089839a0b85840c17b9fd51221525936901d7d6487941b4f7d9c7dbcb4c009bda483d24d29ee29727aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P5EODDS5HDUFE12T1IFP.temp
| MD5 | 732feb2c6d74d7663fbe99d197540d02 |
| SHA1 | 0fe3be234e4bc63dab0c53467216832951d371e8 |
| SHA256 | d2aaa7eb220ce211afe8a9d6e52d307e2776366a976e391d5fbd0fa5c10fb6a6 |
| SHA512 | 5fca628e07099399ac143255d0c8986f579ed526cb18e36b243ccccf644cf00758b5dd1d00f339335bdbe5cb68de7a679db27a230b22df96413262ea853b75a7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
| MD5 | c3f3cc6af3080c173592dda029596bb9 |
| SHA1 | 3b71fa5d42cf25a9a3c35085267916c6915d2222 |
| SHA256 | c5818f2f90b22c9251f9813e0d973d62cd410704aec0e2f7cd08c7e74cb61af3 |
| SHA512 | c30d3bc8fda23e10132b42a2a0e9b4414e5c991b6fa7f346ec434f266c04c4230b4cda69500216b0b56ad3bc3a0c0ed10a1d4b968edc55908001dbf2c103e102 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 177ba3a937750a01e86f8a72947a8fb2 |
| SHA1 | 5045e3610ffb99bea9107543adeb8645c910ce84 |
| SHA256 | 9f04f4e93b22780a433c06f162677d8eb642be26c9a710886282d2fa339fe153 |
| SHA512 | 1daebc8507152b53dfec00328c03a27be0555743f07c929824a78e1a0c97d5d62580f8202db11c1b9c198dbd0ad4faf1e08c17faac8fb3b112fc1a54bff1e97e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js
| MD5 | 3e445f0877c442ebbf55d8e4ec90e39d |
| SHA1 | 9c996a52a4ea4a1c94735f4808cf13751dbce973 |
| SHA256 | 184e37eba0927bddfc877f6334bf9a4f49dff60847132947311fd96cb008c2e2 |
| SHA512 | dec2af532c8cb46d0aae944ee445d5f993cc8943c81f7ecaec10a6a2543cb97315b7bec387167e7b9fce4f97f7f8f5c63dd3b592de55882e493d94e9d515ee48 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 285d7d6e7aef11ba75a847a13c3b11ed |
| SHA1 | 79b6974260c7a73547f5f5b2babdecd61686201b |
| SHA256 | c3ab0562b8bc1c4a1f88f9a62bbc7a7cf9a68157c623f849a5111a3098613826 |
| SHA512 | 6cbe17bbd7a18056aca49e81f93cc2599fafddcd6b681a8e568b3b018c240fe80a1f75d449d423bcf698eca8ae7811e46b6e6c000e41f3683bf14967c6df0b1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\bookmarkbackups\bookmarks-2024-08-26_11_atcvlnuPuRmoiHlFCDpsGA==.jsonlz4
| MD5 | 2a21fccb447ae56972c03810ac7fcab6 |
| SHA1 | 1f7a27ba3cc3729e6b68ce863eb423208d4659af |
| SHA256 | 0e33c7fedcd1b09de07f6794caeb772c3864582c0d8c2bf7abe50c219dd0f484 |
| SHA512 | 43e59bee370ac96f52cc0415e71067c726661847d3082c42923d9eed885f2c86bade732a44dec0cd0945258d3d6ded0af700841651dfde369e22efa067dbb020 |