revengerat | 7f74247962c61d595001a2d02788e55290265ed177bc696802f6f4eca51e5796

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LeeTextTools.exe
Size

935KB
MD5

45c16f2c3c9f43bfaf3f4bbed777773a
SHA1

9b4e4b6a6a79a3a668f63803d2a4d03a81589ad1
SHA256

7f74247962c61d595001a2d02788e55290265ed177bc696802f6f4eca51e5796
SHA512

7d7ae482968d38c98f947b87520817a6165148a3e66cf89352a96a4ed5d6d6ac6e8cfa843c819d711ef066df20195bfb93b571738519bc6751826fd7b9398538
SSDEEP

24576:GkHfaEEJ40aLb49n5/hLEjaEEJ40aLb49n5/hgCFzwgy:GkHfaEEJ465/REjaEEJ465/9Zw1

Score

10^/10

revengerat nyancatrevenge discovery persistence trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

amazon.capeturk.com:100

Mutex

eea5a83186824927836

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	LeeTextTools.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2420	Setup.exe
2892	Setup.exe
1268	Lee Text Tools .exe
3764	svchost.exe
2504	svchost.exe
1724	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer.exe"	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lee Text Tools .exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4584	msedge.exe
4584	msedge.exe
2848	msedge.exe
2848	msedge.exe
2800	identity_helper.exe
2800	identity_helper.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	svchost.exe
Token: SeDebugPrivilege	2504	svchost.exe
Token: SeDebugPrivilege	1724	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe
2848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2420	5012	LeeTextTools.exe	82
PID 5012 wrote to memory of 2420	5012	LeeTextTools.exe	82
PID 5012 wrote to memory of 2892	5012	LeeTextTools.exe	83
PID 5012 wrote to memory of 2892	5012	LeeTextTools.exe	83
PID 5012 wrote to memory of 1268	5012	LeeTextTools.exe	84
PID 5012 wrote to memory of 1268	5012	LeeTextTools.exe	84
PID 5012 wrote to memory of 1268	5012	LeeTextTools.exe	84
PID 2892 wrote to memory of 3764	2892	Setup.exe	85
PID 2892 wrote to memory of 3764	2892	Setup.exe	85
PID 2420 wrote to memory of 2504	2420	Setup.exe	86
PID 2420 wrote to memory of 2504	2420	Setup.exe	86
PID 1268 wrote to memory of 2848	1268	Lee Text Tools .exe	87
PID 1268 wrote to memory of 2848	1268	Lee Text Tools .exe	87
PID 2504 wrote to memory of 1724	2504	svchost.exe	88
PID 2504 wrote to memory of 1724	2504	svchost.exe	88
PID 2848 wrote to memory of 1372	2848	msedge.exe	89
PID 2848 wrote to memory of 1372	2848	msedge.exe	89
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 1044	2848	msedge.exe	90
PID 2848 wrote to memory of 4584	2848	msedge.exe	91
PID 2848 wrote to memory of 4584	2848	msedge.exe	91
PID 2848 wrote to memory of 4556	2848	msedge.exe	92
PID 2848 wrote to memory of 4556	2848	msedge.exe	92
PID 2848 wrote to memory of 4556	2848	msedge.exe	92
PID 2848 wrote to memory of 4556	2848	msedge.exe	92
PID 2848 wrote to memory of 4556	2848	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\LeeTextTools.exe
"C:\Users\Admin\AppData\Local\Temp\LeeTextTools.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1724
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- C:\Users\Admin\AppData\Local\Temp\Lee Text Tools .exe
  "C:\Users\Admin\AppData\Local\Temp\Lee Text Tools .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/LeeSoftware
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffdf8f046f8,0x7ffdf8f04708,0x7ffdf8f04718
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:1044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
      4⤵
      PID:4556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      PID:2844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
      4⤵
      PID:3508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
      4⤵
      PID:4864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
      4⤵
      PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2070403541956776596,17070692855739004161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
8e1e19a5abcce21f8a12921d6a2eeeee

SHA1
b5704368dfd8fc7aeafb15c23b69895e809fe20e

SHA256
22cf24d10cc11a9bb23268f18afbc8f3481c27e1feb4cb42ba5c8775e12720e3

SHA512
48365f858592d677ef5d0e2948f672234898e47a153eec32592a2e079353702a64e41e1aa59250f05bd690690b9edfb8455dfac90c6695fb7c0b6907a057fe78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
2f142977932b7837fa1cc70278e53361

SHA1
0a3212d221079671bfdeee176ad841e6f15904fc

SHA256
961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

SHA512
a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
67cd2bc4a96c29d23b5d39be79258195

SHA1
9f096a7b6e565708167ebe5800d930f2611f17e4

SHA256
3a1fb2e802ca701c60211d99689a5b69f11d56e62d79e53f0ae36f31720c967f

SHA512
0861d6bf342e3cca3c20159d4b8895e58c935d5cf00f81d6f37dff0e0183541a250a13fb7ed0cd6fb9f3dde3a92f7f595a0363fdccdce53be0e09919edc2b7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
242B

MD5
e384a795d1e597feb0a5bebd13dcde50

SHA1
7ce66637789b61ae163c1de62dc996a99cdef796

SHA256
42a6ef02d02be95231cee980c97d4398ac167e7264a5cf838b3e3a2ad2a3380b

SHA512
36f58ca4b73ed5fdfd9b2557d09203189dc9cb3db29ee9716f89bb75a8f6d1c32cca67e597dfefb3b9074be0a024ba51ff40d8024439ccbb16d17316abc2215c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6da9edeac75be677a0c98fe3a455dd2

SHA1
9a468210d6226117cb5265f3f029e3b49bddbc9d

SHA256
5efb7311b413fcc7304c6bd4e2beeb668f0bf21ecb473da0c599876a314f6123

SHA512
48ebc4cf0195ec9b5da2254bc2ac4586af08145dfa8ad96da9ccb7b40ab4407d9d5191118ebf2a40bbb9dd9bcd0b829abbf1f610683fd4cce29e260a9085233d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ddf3013740f80f1df2585ba077fca62f

SHA1
10cd78f8be085c2282eb28b14b5975df0b9f01c7

SHA256
627dd9075fbab20801e94a0ab24f79270eb71d704ef889f615a1277f43b4f5ab

SHA512
6333d1962146939ed380de0bc0834fe31cd86aa2504c6c6ec15f7a6fbb8aed0167350c2a1019f370ee75143c397f820a54fe5008ed006d7dd4a4558a01181352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3511ca76a0e6b227be95510e0e0e8144

SHA1
fad2e9488c904193a84f0f22e351afae1d302a40

SHA256
dff252e3e2758a0bcaa0d4e3f6d3914a040f3653dfc7ca0df79b0b21bb534260

SHA512
f95d817cb919b56de01414b6490a615e63f86abcddecb5f3843a4c4a645bfa5287d93e2629d2a8bc2f606c2d9bd7a20b60e3fba744e4e0f75b9d8b729d06b55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lee Text Tools .exe

Filesize
563KB

MD5
c6a289d6258169b171835ea60ab103eb

SHA1
ee3d99e430369f4487c411853f6ab0b74f6b2d85

SHA256
e3114f5d8ee3f633248221966a4cac29c6ea2423a264812ab52c4112b214e528

SHA512
8e0f2059455d27f3ad29e970b999d11d338b8fdf0a8e813e89d1d2d4a9b984279c32d1ee3c922a10dd162ea06574d33f405be86cabed502f9946a5aa5004a85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
356KB

MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
63KB

MD5
d298454882caac154fc9217fc7e90499

SHA1
11970a2f8b9d1153fbc7fe925a846bd95e07e96f

SHA256
badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100

SHA512
e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
256KB

MD5
c4e4407b5fcf49586ddd5d5573ae4b95

SHA1
0f60aaaaac09d4f9273207114fcc78c0bfb250eb

SHA256
8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

SHA512
95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
99KB

MD5
5f71fad242ac5e7d2aeb52225e008a06

SHA1
de750ca7460ce882fe52ff4e64ee23e6ffb547fc

SHA256
7567df4eb56966fd92876c3ccc4e73661ae8e22663bf801ab1eb0c13c715a051

SHA512
df008417c026d92ebcf8e667fb30028a987d641f2cab77ffc64fa44a29f0a6d47a8317213b5797f953e30a5f4e31899d7b10f544b3fe2af1df2d389d50f38188

Download Submit
memory/1268-45-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/1268-44-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/1268-49-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/1268-43-0x0000000000500000-0x0000000000592000-memory.dmp

Filesize
584KB

Download
memory/1724-100-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/2420-17-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/2420-54-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/2420-33-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/2420-18-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/2892-51-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/2892-50-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/2892-42-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/5012-0-0x00007FFDFAB05000-0x00007FFDFAB06000-memory.dmp

Filesize
4KB

Download
memory/5012-40-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/5012-6-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/5012-4-0x000000001C4C0000-0x000000001C55C000-memory.dmp

Filesize
624KB

Download
memory/5012-3-0x000000001BFF0000-0x000000001C4BE000-memory.dmp

Filesize
4.8MB

Download
memory/5012-2-0x00007FFDFA850000-0x00007FFDFB1F1000-memory.dmp

Filesize
9.6MB

Download
memory/5012-1-0x00000000012A0000-0x0000000001346000-memory.dmp

Filesize
664KB

Download