quasar | b015b400bb4697f7380a3282cf945a3d16a31a8f75668afdf0acd5b70adf2d02

Analysis

max time kernel
141s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FireFlies.exe
Size

748KB
MD5

860fcfb2215baf853a832034e9453a7d
SHA1

ae2fed6c23d1c9f409ca7e2e47e154582519f04c
SHA256

b015b400bb4697f7380a3282cf945a3d16a31a8f75668afdf0acd5b70adf2d02
SHA512

688aab0781c51e2e18b64e870ec3e70cbfd1353934ede3bd8d8ce66183c621a40129496dae0363350e74db291c252749806a98c18b705dcfd4f5edf3c5a98a57
SSDEEP

12288:nZ5XIZvKtjSlpzQ6cxBD0eDr3rPq5XIZvKtjSlpzQ6cxBD0eDr3rPIFRVR/:nf6vMxBDBDvPY6vMxBDBDvPq

Score

10^/10

quasar umbral office04 spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1160310307609120789/rXDfzEAlPL0Bu1LrYprFmlBAs5RPl58Ukf1e6xALA7EaX_-5EMRHl_7QEahpvikDoDLR

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.168.76.126:32770

91.168.76.126:32771

Mutex

a7690a4d-0e0e-481d-b949-23c715844aa7

Attributes

encryption_key
3B3DD6831EEF1072B2B0C196C0726EEBAA9960B2
install_name
Fireflies.exe
log_directory
Logz
reconnect_delay
3000
startup_key
Update
subdirectory
FireFliesTeam

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00030000000006a5-503.dat	family_umbral
behavioral1/memory/4148-505-0x000002202F140000-0x000002202F180000-memory.dmp	family_umbral

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/files/0x00030000000006a7-511.dat	family_quasar
behavioral1/files/0x00030000000006a7-510.dat	family_quasar
behavioral1/memory/1552-517-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/files/0x000100000002a7ea-523.dat	family_quasar
behavioral1/files/0x000100000002a7ea-524.dat	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 4 IoCs

pid	Process
3644	FireFlies.exe
4148	injector.exe
1552	update.exe
1564	Fireflies.exe

Loads dropped DLL 2 IoCs

pid	Process
3644	FireFlies.exe
3644	FireFlies.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
203	api.ipify.org
20	api.ipify.org
166	api.ipify.org
196	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2740	schtasks.exe
1084	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1628	msedge.exe
1628	msedge.exe
4188	msedge.exe
4188	msedge.exe
3768	msedge.exe
3768	msedge.exe
3688	identity_helper.exe
3688	identity_helper.exe
2208	msedge.exe
2208	msedge.exe
3644	FireFlies.exe
2872	msedge.exe
2872	msedge.exe
1880	msedge.exe
1880	msedge.exe
1996	msedge.exe
1996	msedge.exe
4888	msedge.exe
4888	msedge.exe
1352	msedge.exe
1352	msedge.exe
1056	identity_helper.exe
1056	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4648	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	FireFlies.exe
Token: SeRestorePrivilege	4648	7zFM.exe
Token: 35	4648	7zFM.exe
Token: SeSecurityPrivilege	4648	7zFM.exe
Token: SeDebugPrivilege	3644	FireFlies.exe
Token: SeDebugPrivilege	4148	injector.exe
Token: SeIncreaseQuotaPrivilege	1432	wmic.exe
Token: SeSecurityPrivilege	1432	wmic.exe
Token: SeTakeOwnershipPrivilege	1432	wmic.exe
Token: SeLoadDriverPrivilege	1432	wmic.exe
Token: SeSystemProfilePrivilege	1432	wmic.exe
Token: SeSystemtimePrivilege	1432	wmic.exe
Token: SeProfSingleProcessPrivilege	1432	wmic.exe
Token: SeIncBasePriorityPrivilege	1432	wmic.exe
Token: SeCreatePagefilePrivilege	1432	wmic.exe
Token: SeBackupPrivilege	1432	wmic.exe
Token: SeRestorePrivilege	1432	wmic.exe
Token: SeShutdownPrivilege	1432	wmic.exe
Token: SeDebugPrivilege	1432	wmic.exe
Token: SeSystemEnvironmentPrivilege	1432	wmic.exe
Token: SeRemoteShutdownPrivilege	1432	wmic.exe
Token: SeUndockPrivilege	1432	wmic.exe
Token: SeManageVolumePrivilege	1432	wmic.exe
Token: 33	1432	wmic.exe
Token: 34	1432	wmic.exe
Token: 35	1432	wmic.exe
Token: 36	1432	wmic.exe
Token: SeIncreaseQuotaPrivilege	1432	wmic.exe
Token: SeSecurityPrivilege	1432	wmic.exe
Token: SeTakeOwnershipPrivilege	1432	wmic.exe
Token: SeLoadDriverPrivilege	1432	wmic.exe
Token: SeSystemProfilePrivilege	1432	wmic.exe
Token: SeSystemtimePrivilege	1432	wmic.exe
Token: SeProfSingleProcessPrivilege	1432	wmic.exe
Token: SeIncBasePriorityPrivilege	1432	wmic.exe
Token: SeCreatePagefilePrivilege	1432	wmic.exe
Token: SeBackupPrivilege	1432	wmic.exe
Token: SeRestorePrivilege	1432	wmic.exe
Token: SeShutdownPrivilege	1432	wmic.exe
Token: SeDebugPrivilege	1432	wmic.exe
Token: SeSystemEnvironmentPrivilege	1432	wmic.exe
Token: SeRemoteShutdownPrivilege	1432	wmic.exe
Token: SeUndockPrivilege	1432	wmic.exe
Token: SeManageVolumePrivilege	1432	wmic.exe
Token: 33	1432	wmic.exe
Token: 34	1432	wmic.exe
Token: 35	1432	wmic.exe
Token: 36	1432	wmic.exe
Token: SeDebugPrivilege	1552	update.exe
Token: SeDebugPrivilege	1564	Fireflies.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1880	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe
1352	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1564	Fireflies.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 4188	424	FireFlies.exe	76
PID 424 wrote to memory of 4188	424	FireFlies.exe	76
PID 4188 wrote to memory of 4252	4188	msedge.exe	77
PID 4188 wrote to memory of 4252	4188	msedge.exe	77
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 2252	4188	msedge.exe	78
PID 4188 wrote to memory of 1628	4188	msedge.exe	80
PID 4188 wrote to memory of 1628	4188	msedge.exe	80
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79
PID 4188 wrote to memory of 472	4188	msedge.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FireFlies.exe
"C:\Users\Admin\AppData\Local\Temp\FireFlies.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/e5ojxqc5k27kr62/Fireflies+NEW+v1+RELEASE.rar/file
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffceb83cb8,0x7fffceb83cc8,0x7fffceb83cd8
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
    3⤵
    PID:472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
    3⤵
    PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
    3⤵
    PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
    3⤵
    PID:3876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
    3⤵
    PID:1656
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7352 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
    3⤵
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
    3⤵
    PID:1860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:2580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,12520830320831378153,15322775659689470620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3004

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Fireflies NEW v1 RELEASE.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\Downloads\gfdfyhu\FireFlies.exe
"C:\Users\Admin\Downloads\gfdfyhu\FireFlies.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644
- C:\Users\Admin\Downloads\gfdfyhu\files\injector.exe
  "C:\Users\Admin\Downloads\gfdfyhu\files\injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- C:\Users\Admin\Downloads\gfdfyhu\files\update.exe
  "C:\Users\Admin\Downloads\gfdfyhu\files\update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- - C:\Users\Admin\AppData\Roaming\FireFliesTeam\Fireflies.exe
    "C:\Users\Admin\AppData\Roaming\FireFliesTeam\Fireflies.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1564
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FireFliesTeam\Fireflies.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1084
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FireFliesTeam\Fireflies.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://link-hub.net/530992/fireflies-executor
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:1976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
    3⤵
    PID:2200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,1856524582585591520,9061484303560342681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://link-hub.net/530992/fireflies-executor
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffceb83cb8,0x7fffceb83cc8,0x7fffceb83cd8
    3⤵
    PID:760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:2364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:3632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
    3⤵
    PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15448088288138570857,10096503486507566412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffceb83cb8,0x7fffceb83cc8,0x7fffceb83cd8
1⤵
PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
05ed8d7350c6abddb2413582af13b728

SHA1
98b3e6793352038355ee54fc58828e5ca1cf0f77

SHA256
878b0ffac96b1428cb415ab15b289258dcf9fc175ac2571622e4dc1219f32c01

SHA512
b80bf631b56588daf08570c05aac9a67cee414403149c223a005a7dd9c81b5e8d4c6f175815106f039d47c1bfef875ecbf65efba106d5107b137f2aabe446058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8aa7a17ad03673ee6bc8d6c7a6cf1ac2

SHA1
91f6d0e1b1b74595adf174a4f338fd4ae0596459

SHA256
5815e93dbc75522d500f739fad9f312435296570a7b3ceed923986b83c71837f

SHA512
4c259d1a5326314c7a0e3c455474249b069ce457d2df1c840b3eb9fe6f3d7763eafceff8947226e50ab59e5edd84606de2354a507341364e81fde62b772619e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a52c3c9a3372cc5fd5a09aceec44d027

SHA1
a6657cd1b3d9863163656c66ccb3b3e377fdddcf

SHA256
c98f1107d2dd353f704954757be01d382325bdb492a230c833933ff615911587

SHA512
a35adb111136bd25379a799f39f5e7801394f349b51335737ab089d39924ea62e396b9a4c17834a4c29d2fc90ec1368dddb287759a834b36bb9b096e2da9759d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5d1a279f-b0be-4fae-918d-78f11e4fe0f9.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8cb4a34f18ce8879b24a99022e4feda7

SHA1
ed0fc1ed17d93d3994242fcca4930b5ae31bef5c

SHA256
d73ad3131e6e081b5765c3ba75beb0bf888707b701051305fd1e9e97c2de0758

SHA512
3c05c425af1bf4d9afa4dabecd9a70369d917a1e06ac4d83cf3e9c764450bdf8308ef660dd9ff6d62fab59d459cb667eb22f45e67252d3be6411b23685906e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
856f985d2bc0a25e3c3f7072e22852f3

SHA1
2f085b32a5e38b025ff7eca980efbd970f302c1c

SHA256
5e9c07fbb50d52a39e5a9f924097761bdfc95acfb952df7390fbe79d87fc5fcd

SHA512
252019d28c6b760ee4b460cc7d1f6b3b0572e3aa8f12fa2e2725767cbc6347ba5d2ecf517e61bef877d2b9699be8ed5ee65d8e88172ef1155a3ff5154311e119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
91d59370cdd89e9b547ac177cb2fef5a

SHA1
f9718a916e3634c512152a076a04ffc1c303a8ed

SHA256
803697f8d7f96b85b9cddfbc80ba709009ed3ce33d298f726d938f403e657ac0

SHA512
e1a0201f9b40616930c781403f4cae40adee04387401aaadf4b8d61f9439ad884510438f092aece625f96b76030057f44ee9de30a0714802fefe088bb735be62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
aa6589e835c3a1837ca60b0f5df949f3

SHA1
4beb4795acfa7c52eb95ac91c780726669bdea0a

SHA256
36ec95eb7bfac33d5bf3f92340778001e0646e39cc36fc41b5b4854e635f0155

SHA512
e5698ef3e50ce35bfd8984cba3dd9b82e80ffb7723b01735fe7797e1efbddcd18c6dc6048de95af6538f162a85b38666edec828dbce9ebb376ebd88bf20fb2d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
492f229ab39835cfa080accb90b7cc1a

SHA1
c6bc06e8a5f3a3f50389f7cba5e43687d075ee49

SHA256
8cfd9149171a9c03d316acf7e38f5e9f2f4abc50a134166e94d366efa53332e4

SHA512
16b366f1b4e935023320180d9d4ca5bf2498757cd7f2d2a545af30d5958993ae63a0317aba1726a5be4d62e0df3e1552c46a2f84aab3cdbb3508b9c023483ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ec3b63fd2c227639a7ff06f2dd92d415

SHA1
a690c0250a7013d581e4dccb02ba93fa28b27ef8

SHA256
f8f224726726d32e1d9d34cfb923c8185fe9c42ca2908268476d96661a8ad455

SHA512
bfdadba4c761157f31bc915bf382053b939ec72065892cc60883794378a74be30b98a0669199eab97d3b0930cb5fd59be5c7ffdab2450571357098ff391ea302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d85670798c9de448520bc069a25164cf

SHA1
5db2a53202b97dfd112e644d56530fa931aa5ffc

SHA256
ea3225bafee662132fd03740db91ed3a0d4f5f2775a0897f91d15c3e87b926c5

SHA512
d4c8c67b5485595eda01b05991fa77f6966a011c68bfea5b3f5ce2c60da34175b07fbea1c04746de2ec49d5dc3799b0327192d46998039349846382be21b15f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
10KB

MD5
a7b858a226541b3312df755d1d38f449

SHA1
e71869e4b644cb7f4139b0e20da6301175822914

SHA256
9194eb3872b3a86f96711fd11849d5975e08358a779b92c960b3dde0375853c0

SHA512
71045f579c6644f47034d00bbb7a2a9a753c1e43eb168dfa8e68f134ef620ce1874dd805e9dcc996b70dff68f6dafcca7494fadff01829c5413f4804ea110d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
2KB

MD5
452276dee4197c1e13a57aeed760cbbb

SHA1
eff81c77c06b3067f7632f47fba8f63d1037b79c

SHA256
84146a72a37e92d7af4f3f9674f3a181b95f7ec3be9843a741caebff77cff462

SHA512
d686f64f5aac1e02bd4281bed37f2669d2a2e6f4cf927a795c0dd2ae8d4cc923852ccbea3eecc3a644c2cf9d29f4cef58ebd3ad0a1941e3119a9a0214f52128e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
54b139e7b1907dc67dee5fc8536a92a3

SHA1
8fbccd30a6c867a0dd97427aa4cb8ef561a8b616

SHA256
c59c1978d0f07afe1ea83a6c707a2514c4ce04d2ba7ae26fc25e8c5b75a7d224

SHA512
dccae6db3f223b8ac147baf1f35975131cf10800aff28f41e05060a2274c87c699aefd14e1f58df6e311b54ce11b390f7fc8f62a134595f9669407f30659dbe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
947747f3f2aa6569968a390d4a74725e

SHA1
94f0069b5aad0e839b4dbd34d88f37b085092026

SHA256
ca855f963e91490116cc6a05c010ee93c231e1b52de4a63253c97399255e411d

SHA512
42d83693a9e9a9803d9867cb1f4ad3dd6d2d4b843e81f0db8c7aef65cb5ce41f7d04ffea623cb39006083a39ca1871d6763b0bbeac0b80a833c06d25e4c1d121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
64abd8496ce85b330b6e2e99dd8cf234

SHA1
1744d539f71d8f5c40aa568d00e48598256e3078

SHA256
7cd4d3b6c00272501f30312a0c6957d47c011f954a23921f56a0763458d9ffd4

SHA512
855be245e9f64a9531e07c2fc4dd92d1ddbc860d59424246707070c1038d724f99f16f21c8dd72461f49e1153521d9746a2bfd3668ea9f5707a21a2a7f2dc496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
9f2fe3d0fb58ed99fa2cd990b3885bcb

SHA1
7cf389526a0f260a3418de77ef6fb7f8f7871980

SHA256
b671dd5a3ee566fe015afcaafe5b286dce3f28bcc7b328170e663085bc5d46b1

SHA512
1dd33b00d87fb3e0cc6d6038ba0579e5387c927a7ec3c43bf4d321b1487d9ce70e562a90c162d7b56127f8516bf1af3626dc8bf9be16ca047f7e8d489e2b331b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6892c96695243e93c90f266e0bcf920e

SHA1
c1cfed656be885b253bbe4877ead4239ecc427f5

SHA256
49f8ff35c99846ff55f86ec9375a7db1b816963159297324f0db4e7bd14b13ea

SHA512
875e9b312d3177a7fe68972f8b5027b45d917c8dd5bcb4f0caceb220ec9ef509f0ef8549a399516c2371116814a3870d92c61b60fffb5caec68567629b5784d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
8655f9dc83c8a750666730221c12abc6

SHA1
eb6c1bea771f399c93c7f235243aa626f60a6c5a

SHA256
c78c28f0b2a28aa634b94e0b435db92b3fdd80388e33e00b305dd3f0c0ae06cb

SHA512
8f23350eba21c4a7715bf7b37a0153aa1c609d8f2b25e317b2f9426c983d146da0b4a136bd161244de8b0996be2c34d82e8066ae89dc2558a1d1115a117bc474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7fe37cae2b30c394b963a1c1de08a7a3

SHA1
6895313a8483fd0bcb788a2b8ac768fefd797cd7

SHA256
10074141df7a3c54d827d6ba56ad7335584004673a5ef837e0bea41611a04e83

SHA512
a18e19d4698136a13789cb2f52a7e86f5eb8e76418cbbb94be887b55cd6657499ba9e54adf76d7c7ac47e1baf6905500ab647ef94bad9cc9a059f528297ce1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
4e65abe333e62031c98c38a27b7364fc

SHA1
602c0b5486d026b5f278500605e7fadb6fb9e445

SHA256
7dc414dc7c37fd728d012121eb0aac60549d765e04bbdca0f25dc5c5aef9ea2b

SHA512
3d352dd5cead255a5f593f93d5db106e63378d3685117c9720f21b377575c7eb4b6181bee3196e38005c10b1813e2d8afa5c40f47c6c95b9d004d402ea43ebe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
fa2ffcc27d159a747016c9d54718ba24

SHA1
c2df202a366c501a066f6ad0c5a6c95103367bf4

SHA256
5363688388c4e822b36d136fde39402524e2b6feff5ededc2346f729c155cbaf

SHA512
6fc4ef520b5dfcd8b1dad346c52e3affc59ea83170773527a4ae618b41f116ab4b0a094da73f2cdca71162a66e5031a3d4f758df1ffce1c8e3c3809fd956cf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
28ff249ced46aff48ea0f578e7053a62

SHA1
1d8b82fcc239f44a1abc42d173a413c9c530c712

SHA256
50e58a13b57ec8842b2e50693e8acf5ad88f7d8d73fb78e86fd39871fa48deb9

SHA512
4a757a0b54500f9a9945b5b0147e60beb99e3c61460fef70b15dca1ed749223bff949a003721b008bf419a16ea140d4f96dcfdd0ef4634ba11e8cf6638209d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
421aaee1e001158bb890605400c03d5e

SHA1
c87003fbc556cb14264a9ae1b86b46983dc89950

SHA256
1d0550302ad5096548b7b03344924ff62e2f0b3c68dda18e3827d64202aa2069

SHA512
167c2d8b59748c16f406fb041222bb137aed08c973c7c5822b14284de6415d01898a696ae6afaea2f7e257f6a28e77f3fb7298c6f7f8265b633dcbb196949307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
bd3f05e405b12708cb645c339da05780

SHA1
232de6ce938bfd0708d1796f33d155e925fbf3d4

SHA256
6b211bb9d7f74e17b463b9391112d8fff953c2bcaeb4c73a4a0abc3f0467260f

SHA512
46a5538742dc3d5816b52535fe286645d50e6b846eef47180e77f7a635642a5713271b5328de40e5e68904313de3502cea049049cdf164fbe96b76d43e7226ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
3da3cf652acf7e0fee298963e8cb77d3

SHA1
8d35e8ba0767c10324335e8fc8f5c422ece4e504

SHA256
9b436ba7a14d3947bfe73fa9bd581f6fbf0acbf26e97a3a54d6d032d19f8cf64

SHA512
89e9555edd366fedaf79bf4c6da816a69fb220c987337369511c4422034cad486338a261eb6954d000dbfa636c969d04b65de62bb6df9c023ca5e11c892ee83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
3ac5af97b175ce98a7505e7041b56813

SHA1
842c6585f724d54dfdbac73e6399ef9779fffe1e

SHA256
0c71165e29e64e6ef720a51ffe19bd3f4f2fda61dd8dd563c1a081659e917786

SHA512
89db0d0ddbf02149aad3e14d96b565ea72ff0117c2ee8cb710e1ba698a0c40502e55a9066cb693b8df3e7f35749456ced5b1d8f6512f898c7458142f10995e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
1dba49aaa6c5426481e7b4a8cf79a4e7

SHA1
9582c0caacf3aec48d99d11ebb400ab50aac3533

SHA256
f142380caf7f8dd5a794f1ca69b20da8ea3d0bd54f18c6b6742c675aa1e683d5

SHA512
1b196172a9f3740481992375772192133ed6d9c0a568ba9db706bd821c88c835ca3c47a1d0775b39992d654748106d6814baee607b9f65a22c3a6ee9a21af54d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13350073093801221

Filesize
20KB

MD5
1fc435a8d0973e13414b94382f51a756

SHA1
3c6b33ee3328d742bbd8cd3763216977982c81a8

SHA256
8f297d16d7a14c0fce797710e7200af516fb60893f5b408c97e988341cae25f5

SHA512
f57c684a3337815c7b76146f05acd3a3523108de305562b6c5a906911918d742c7db5d0cdcf7ed003ed7629d0ab412d5b67eb1e2e0e099a4f25b6ec860afe6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
26ccb925974e803b4946d23cc76549f4

SHA1
985df7ac255c584db9e9368fe643193411158b69

SHA256
df086cba424164efbbce41d2889ea328eeab68339ead257aa2d0bc8180917ab8

SHA512
89c3116dc0f4e65f1295e8409a8f9bfc7a8120cc68db57524ff0eec831334ac0aad64938c70bf85afd57c18f8990c2827ae5ddf226278caafbfa65d12b6bcfc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5fa3fcdff047c8df2ec4328575ba7cc1

SHA1
6f1055eb220c0f36107a38b764359790b4abddf1

SHA256
3f0c191c8d2d0c72095ec2052b75015c7fb2f40fd68f5fc52c329e1033ca7c7a

SHA512
8caa15a516fe90baeec95f0c02d346eaca929b1881075500d3c0e2965cdaa07af0a9701789a6762572cc34077cd56b4379df5f6b2271767511a71941e7c287b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
d50283dcdcc67cf503d6e7ebd4ab4388

SHA1
c04207325c09f01d0ecc76daffb6bba0b7c54337

SHA256
4775f4fa3f1631ba52e8aeee0bc72a3487e78e722b4624cc404f194a1afceada

SHA512
01ae7f73d5cac77e3f8fdf5286158c2bb9489c0b8808c5898c486afbc094764a8d7afbdf5323d1baf86092618819702dc95035bdae969498ebc697b4deca21c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
354c5bebeb38a9da814e7048398a532c

SHA1
d5854e2c7d7bfb9283fd3c46b9cf43ac13f5812a

SHA256
d3dfdf1bfa3336f168bba360c1bec3b9fd85895e072674d86a04c6f5605ce398

SHA512
e9a6f6713b9506f6c2a107ca8b95e213a881147891e1b61187467ea0ee3794563f9d4a3fa480aa14ce6c8066d81701424fb13342494eb5972adf4138cc6c2b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4758ae06b57345f830e9e3df71b99bf9

SHA1
4e21784d5aa227be4c53449b34f7a2fe97a0ce8e

SHA256
ad35e24f3a8cddedab62647ed158ac14189569ba622fbae87939549616f96c2c

SHA512
520e5549ccbddcfe04e77cb464063ba2b3f351d80a077cd117ca91b981f25f34e5ad9f906fe3ae9b2429a807eaeee229effb4c852df5baa449b0aea0fec9885a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d368715dae388842bb5832a8f1f49a80

SHA1
412cecfac8a33cb38525d3d93abc6c478d5d7090

SHA256
6a347605c67ab9e29706722ec22807106dbe0c98594864752938e7a6e0dda3f4

SHA512
9409821a5c4ad541bb48a6b0cf92c731ff0ca69ee9559f140d8971ce1ce12a6089d441c25e4679d584352917e35dbca054b330dbd64c413d2c2d36362fb5d7b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
c2f6e98485d1d8ab2cc3fa171bd270c0

SHA1
a4914a1ea2cc7e965623cbe29f34478261ab2fce

SHA256
f014da021cededa2673b11d2c357b715b43fad339d8eadc7512133878bdc0b52

SHA512
6d00cbefb58b39eae60d17b8bb1c8faaa50a205aeac4d941382b11ed2c556e5b95bd896fa9766d4d960f82022bda041faf86fd426e68dd8f60a186b7f067356d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
208KB

MD5
04a2f08b042c591ae196d0e33aba8749

SHA1
0c4db5dc90db44a43f7cc654acf3c76ef191cd9f

SHA256
031b64ccccc5ad881c1d6f6d066a745e80bd86e5a0511d4ec6ccaab684e9c30f

SHA512
e3288885c9bee2c70e9bcbd410bcf569607458d27e251efa7467e1be1eba6262b35000c90a7d17edd0613d875f6065bee1d0dd1d8e9ef756a7997130764cdbab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
41e1dc16860b8332e6dccddb5d910c6f

SHA1
546462b5524f9ec6c057f22ffcd78209a7edef4f

SHA256
c79895c98fbeef782e00d4c8c59343dedb6d1ec01aa86aee6b712519d6cd3b76

SHA512
277456df118d47d7746ec5dc8161491d256ef7b46431abdd27f84cc9d1ad6a94a18425d25c3a84a9643244d5f7047a56b72a43a1c9949c4a59ecf876b86be4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
2133047cdee5b78e3d6f3e95f8551d2c

SHA1
615ffe32c83b8f9a443658ea85c6741ab7c9131c

SHA256
f3ab4e0515bd2e7ec935fbbc5d15f51ffaf2393861002d67db93947044d46fa8

SHA512
6dde653e7ea3b3aa959c440a67f61c9900f6330d8411c628caa00d0e994a49b9ed69e9feb8c66af295105cd80e8724268ba2fef0e458229d36cec6ce47378418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
00f4dd04ea82c97c3c8f27861c3d9c3e

SHA1
9f916ba3cefeb673da129cc4de7d1dc5524506fa

SHA256
e09a2b2e5d5a469df332a75abb092ee8c4d599117e3a87b892c028125dd05c47

SHA512
c60aba8991e26d7cef9ddf917f84791ff8f0aec8d32ce14fae00c9c49945a4ff4e529b1767e4dfe18aef87175458f1b059a411a3dbcf53c7f790a54f22d1085a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf896f0b57cb94ac410b57a7cf8b049c

SHA1
29fe278860e4926fb0ab136454f49073e53b4045

SHA256
dab67224908bfd7fa97b6dbf889065f5020fdc98995a086765459a8f997b6179

SHA512
6fb39a50220e5e7d59e9c1dcfbce5e2212a5a253b6de536a86c1f38ac790a8c992b1a4a7973839fba32124e40781007e996e58a1a07e69c52acbf90d4ee3daca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e4f4ea14eebe11072585c23b16926900

SHA1
29de116887dd6df277b238018bee681480540277

SHA256
589f1ee136a29882dd006973208bbfd09ff3bfcb25a4cbed1424149da987de26

SHA512
be5fbd0ddbc497259d478dd31beba1ca9730aa44e6727a307c8aa08b855dab14d5b3304949413b2e6c123a0a6ac68e608926ffdfcce3d64b2821072fb427c2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
348996537a23b8a720bd0e83321af14e

SHA1
54d94cc75272287635b6d0db8f363657d1ce9198

SHA256
1a76b86b92427b8f91b925b2ba0b43ecc964f4aa3394fd11d1a8443569435fdb

SHA512
31315b05462373e966b516d7ba5b79eace235ba85b52a1113ed66138221770e0236258b029c3c7b99e3edb7d28866605a62588b9b7e30f8eb25ef693bb25b96b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33aefc59acadac1ead917549e167b644

SHA1
794fbb1866f62f0b5138f88eae0089458e585e6f

SHA256
da64ff362cb291de140a20d6900f26964c8445af9afd5200d0711b805029be9e

SHA512
4b38954d7b6333b8e20cd9bc2d5ea2d6d78e6d5eb478b45045a3b50b34cc5c6875568df5255f452f7dea3859ea5e16561354a70e49ad227d4c71314e7b395dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
102e2ea7038ba4e0f903d646fb0f95e0

SHA1
aff5b89e01f596323bc1c9c1c59833ea0ceb8949

SHA256
4867431a12e5a9e4af930128f44a042b3fed768bd5381435b620587db1aac73a

SHA512
160d68d66866626f99586f27505810967efbaa01f28ffb8302b1c849443f0a44efd22ea7b9dc88108949703c3195bc3b9c80e5b2cac60b48c6f5457caf28e333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
676ce7aab0f3ad165d32a3ba434f6fb1

SHA1
0c7a2456db921a101a27bc34bd60cca08fdf9781

SHA256
2381779dd5c641434bf0a10919a32bfbfc35b7cb7c0dfdcad7d4c34556d9397a

SHA512
028de84155d217504e2fda70a17e872c51cc7ca17b2f856985307b8ea96efba8edfad5800c950dd92d37d40841df13c94cebd5b4350a1f91b9a69f66e5390f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\dd9f464e-a7b8-4b8d-aa51-a971af4cff18.tmp

Filesize
10KB

MD5
2ce738b3fd685e2c522099a40dd4b8a2

SHA1
1e716926ad1861754e8ed0e8039a245c8958d265

SHA256
a887a1f17114eb886ab32a4b97dc5d0eb6fe37865cb8f5c2b2cff6edccfd6867

SHA512
c236c4f3c6995ce8732c7e2457887730bd57a9bfbb24119a2d1f7166a9fe1dff2fae1c3145d729162f6da9bea9990ff199377d168d6dd7354a647f881938665d

Download Submit
C:\Users\Admin\AppData\Roaming\FireFliesTeam\Fireflies.exe

Filesize
123KB

MD5
e380a06e92e2c248ae4637cc78dbc755

SHA1
fb774a466db1924eef5c5b7a928d0a3970172e56

SHA256
7be871c195e8c6a89540fc7233e30ce2e783577f813305412a133cce78819472

SHA512
3f3141d656be3efbfaeb6623e613d70b2171d890867d7dd388c445523b8e7d2d8c52a2a7ae6bb9c55b6b20a4228b9981df89269586a8b817ddce4af86742058d

Download Submit
C:\Users\Admin\AppData\Roaming\FireFliesTeam\Fireflies.exe

Filesize
179KB

MD5
857ed0be4a9154dacebec0ac86ba0d72

SHA1
107adfe24d22cf2d287c3ac22a7873accbeed1c9

SHA256
8e056fc07768fef25c1b08227d3bf4d4087482e25fe417fba4e1dfd6eab51baf

SHA512
109159097bd534f03c818c2a7d6eefd11ff4ea9ddeb7765d0f79cd376ff2eadb674d39110fe2c444c59cff35affac2c2464b33370c7a33e2253d44e48df9568b

Download Submit
C:\Users\Admin\Downloads\Fireflies NEW v1 RELEASE.rar

Filesize
7.1MB

MD5
7da94f81c9cb420e271bf35254e6ca76

SHA1
0ab339efdb2f956f4317c5a547077aa5ba829224

SHA256
61a84d6b8b073c2225c8b35415a6abac4d58f1d6f5733c99b0f09163d8ab9a38

SHA512
983da7f6c9d310cdf604c42738cb0fd1e12dcf55d03bb36f2450934da36a0dc6d7d245980ad5a2645a9c9f0ef78cc2c1c6908034881f36e53a54ba2142cea3b3

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\FireFlies.exe

Filesize
747KB

MD5
b924870d4fd4f479e3788e2207168346

SHA1
0300a95edaecf141bc2b270bae875e1462ca11df

SHA256
1050431ceb26c051dbaba131275d01ab7a9055943111a2a2aff169caed0025ba

SHA512
bb9819de95c3cda429932f41332210d8b8ee40874202ad397c6b928e08eb86d63157b0ad04552a156c20c0e99c8387469e67d7e4fed9259d9ea000b70a6b7c61

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\FireFlies.exe

Filesize
372KB

MD5
d562d5b81014ede2e111e850ebb64da1

SHA1
7d22e4f12d5791abad2cb53afd663bbfc54aed98

SHA256
ac13736b3febbe39759d1c81d7c53de763897c73b41c1807e7b02576502a4e6f

SHA512
3c32ac49171295f622441e05e866dfb286a169cc4e40faf41246e24a84fe379f68ab4eb0764421325a794e838926def3cdd895972e027946eb80db4dee237235

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\files\injector.exe

Filesize
231KB

MD5
85dfb3f8eb6e5b4cdde24a6a5c29861e

SHA1
e7e8f506c61992b9a7afb0b3051c981ada9a50bb

SHA256
afe4c7552fb3b337397cf2142aa11ce16cc2a20f67ea3ae86012cdf006e57b87

SHA512
28722092784534d2322f6281c22ef760f582f8c6826c16862ff5b2fe938f726ffcb35c26f7bf110ef9174f4e18e42ed202db73dd96d6e9199fdcad264df8b937

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\files\update.exe

Filesize
413KB

MD5
099df0105d9a5f3d541b557e5d75340f

SHA1
6f9afd61813a5ba9a247f93886571be8cb2a66f9

SHA256
d09c51c8e8a1ef7e998b03097959113713150ba24e07baa89c67b256a766ad53

SHA512
875a87d7aa3b44bf49d90a8e051df4a32b99384297ffc85de0b5781ff7c4f56dbb90616ad121e28f7c44d129ffad1c6206353212d9b513ec6611e4a04152d7bf

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\files\update.exe

Filesize
223KB

MD5
b7af5a9dbc93a50c999810d29ddd92ec

SHA1
dcaab913719757d25ed5b2eacf6b48e9e20dbd47

SHA256
01c104146a49ca527d99f9b5db7b3bb08dfa586f8f1ed26b9f9e0399e19f3d0c

SHA512
434d2489e7cfac3aaccc9b40f3a56433e69fcc0fc778a34decd1a3ed8b588a6b0a139efe4b6f0f29513474fa8d6e39d326f5cb4fdc90c69144b5262d52e93de6

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\modules\Embed.json

Filesize
1KB

MD5
9eaae3ff968bca644b0bc524e99a7639

SHA1
79e3f53cc793d9eba8c43294207fefff7bf5b385

SHA256
270c845a380b55e1bada743b93aea74e3607e8d2af3e1cba0b8741d03b3075f6

SHA512
833e2860f1573cb769619dd196e779526e95171fe2fdb186d0b3b36c40aa99b0d55137a25bd12937c28abe936a58dce823ad02c439b3ba5316c664b15eca4d52

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\modules\Newtonsoft.Json.dll

Filesize
282KB

MD5
8120b20428f73108d6b9b9afcc8dd0f7

SHA1
4e53904b7900ef767dfb20d96f718ee669441c54

SHA256
3d40c5bd6cdc47c0842451becf06de5e8ccd1a9d2e4bea6e4e07bf289e2d3c28

SHA512
401c6bb17d1d57126868dab7045cbee92325ec0ecbad864e41ae5f05f154bdacc22feaa25717b365d01d35b4cc9fe2e0f9f2c8798f342ad8d4d37e0240eede22

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\modules\Newtonsoft.Json.dll

Filesize
290KB

MD5
8e4dd77a74e9c8473c55e1403d4faecd

SHA1
a8bb77c50db23c2802be3f3909110fe5da497552

SHA256
d91a02dc920ceb382f0660926d7ee4ad52eb30840c109c13037548a10d64a25b

SHA512
b35fea6a850263f0aca53eb3d75e41999e95d0dafd51804599387ce48affaada1935cf7ba975cf87a5cc1fb0c149f587a560075d5dbd1dfe9cc31b519522aeb7

Download Submit
C:\Users\Admin\Downloads\gfdfyhu\modules\Newtonsoft.Json.dll

Filesize
439KB

MD5
41e1810cff7db84d7759883133def95c

SHA1
0c51ef70384fdb735fbbc31f25871af7d6c64ccd

SHA256
651fca4e67e39c1370f526b2ec414d6faa56773cc73f91c9b8142587808f1551

SHA512
0ac6fec6f4ad8a5621ef2e4d44d50dd4443d7cefc69ff73d091b634435ebd34d51c375fa69434d900c7b0d35e336b89c075230f83aa4f100a4e77920b273bc2d

Download Submit
memory/424-4-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/424-6-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/424-5-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/424-0-0x00000000005B0000-0x0000000000670000-memory.dmp

Filesize
768KB

Download
memory/424-3-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/424-2-0x0000000005590000-0x0000000005B36000-memory.dmp

Filesize
5.6MB

Download
memory/424-1-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/1552-516-0x00007FFFBCED0000-0x00007FFFBD992000-memory.dmp

Filesize
10.8MB

Download
memory/1552-520-0x000000001B020000-0x000000001B030000-memory.dmp

Filesize
64KB

Download
memory/1552-517-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/1552-526-0x00007FFFBCED0000-0x00007FFFBD992000-memory.dmp

Filesize
10.8MB

Download
memory/1564-641-0x00007FFFBCED0000-0x00007FFFBD992000-memory.dmp

Filesize
10.8MB

Download
memory/1564-529-0x000000001BEA0000-0x000000001BF52000-memory.dmp

Filesize
712KB

Download
memory/1564-528-0x000000001B270000-0x000000001B2C0000-memory.dmp

Filesize
320KB

Download
memory/1564-527-0x00007FFFBCED0000-0x00007FFFBD992000-memory.dmp

Filesize
10.8MB

Download
memory/1564-746-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/1564-747-0x000000001B400000-0x000000001B412000-memory.dmp

Filesize
72KB

Download
memory/1564-748-0x000000001C6B0000-0x000000001C6EC000-memory.dmp

Filesize
240KB

Download
memory/3644-501-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/3644-500-0x00000000008A0000-0x0000000000960000-memory.dmp

Filesize
768KB

Download
memory/3644-519-0x0000000008AD0000-0x0000000008AF2000-memory.dmp

Filesize
136KB

Download
memory/3644-531-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3644-515-0x0000000008B50000-0x0000000008C02000-memory.dmp

Filesize
712KB

Download
memory/3644-502-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3644-530-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/3644-912-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3644-913-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/4148-509-0x00007FFFBCED0000-0x00007FFFBD992000-memory.dmp

Filesize
10.8MB

Download
memory/4148-505-0x000002202F140000-0x000002202F180000-memory.dmp

Filesize
256KB

Download
memory/4148-507-0x000002202F6B0000-0x000002202F6C0000-memory.dmp

Filesize
64KB

Download
memory/4148-506-0x00007FFFBCED0000-0x00007FFFBD992000-memory.dmp

Filesize
10.8MB

Download