empyrean | hxxps://github[.]com/Rngsweetycalf/LeanV2-Master

Analysis

max time kernel
605s
max time network
439s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-01-2025 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Rngsweetycalf/LeanV2-Master

Score

10^/10

empyrean discovery stealer

Malware Config

Signatures

Detects Empyrean stealer 1 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046379-544.dat	family_empyrean

Empyrean Stealer
An Open-source information stealer.
stealer empyrean
Empyrean family
empyrean

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
52	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\42e20f8c-6f89-4011-a0e0-013f0b09457d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250118053149.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4824	msedge.exe
4824	msedge.exe
1032	msedge.exe
1032	msedge.exe
3528	identity_helper.exe
3528	identity_helper.exe
2556	msedge.exe
2556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	784	7zG.exe
Token: 35	784	7zG.exe
Token: SeSecurityPrivilege	784	7zG.exe
Token: SeSecurityPrivilege	784	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
784	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe
1032	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1548	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4812	1032	msedge.exe	81
PID 1032 wrote to memory of 4812	1032	msedge.exe	81
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4408	1032	msedge.exe	83
PID 1032 wrote to memory of 4824	1032	msedge.exe	84
PID 1032 wrote to memory of 4824	1032	msedge.exe	84
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85
PID 1032 wrote to memory of 1284	1032	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Rngsweetycalf/LeanV2-Master
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fffddd246f8,0x7fffddd24708,0x7fffddd24718
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7b2325460,0x7ff7b2325470,0x7ff7b2325480
    3⤵
    PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,890359982576223560,841334635151052891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4592

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LeanV2-main\" -ad -an -ai#7zMap13522:84:7zEvent16567
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LeanV2-main\LeanV2-master\READ ME BEFORE ANYTHING.txt
1⤵
PID:700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LeanV2-main\LeanV2-master\src\main.txt
1⤵
PID:1936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\LeanV2-main\LeanV2-master\Multitool\main.txt
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
17ce65d3b0632bb31c4021f255a373da

SHA1
a3e2a27a37e5c7aeeeb5d0d9d16ac8fa042d75da

SHA256
e7b5e89ba9616d4bac0ac851d64a5b8ea5952c9809f186fab5ce6a6606bce10a

SHA512
1915d9d337fef7073916a9a4853dc2cb239427386ce596afff8ab75d7e4c8b80f5132c05ebd3143176974dbeb0ded17313797274bc5868310c2d782aac5e965f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63af7b2048710d6f167f35d94632a257

SHA1
812c8f140a72114add2f38cab52fd149ad8bdcfb

SHA256
15aafcc88226b6178e02a93858555ca48fb205ae317815ce31aa547555329046

SHA512
0519b7dcbce66aecefbd2aaea6120c0da213d8bb3e00a7599bf2e390bee3f643baf952cc553766f8c2779fe9fa303570a56a8c846c11e2fcf9c2075c1e41ccc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c169dbb-8a8b-40a7-b00a-199cef985b48.tmp

Filesize
24KB

MD5
b8d5a6329bbc5edf31844f6bfa4ae972

SHA1
1014d91ea7a8867459e7014a725794728d75793d

SHA256
2d90e12869f60c869911a3030ea58211b6b0da7c53d396769f4b3dea0c406309

SHA512
d6b4a08d7188e48b3ec2dbaa78f1ccc23334f43266602c677ba5c52d54554ad02e5ffc32e852de47291e3f1291dfc34db62d4a1eb5f631aad0a0340d30e5f7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\658c9051-809f-4b04-87b6-ef52cb88eb8a.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
485de3a101b36cc014f729af3153ba27

SHA1
3689206e1c43a25a69447e8221d2ee2402154e05

SHA256
9a3cecc4b362b2d18513df40ca55540d1283856ac73fdf4b7e54fbcda4e16ee6

SHA512
a4a7c8ccfd272ace82064d4b59ac3d2a860297c1e4784893d252f6347999c97fae1caa081ed8a727b00559c9a1b6c33dbb901e1f566988c0c1676e79c13c7089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
045a48d8bd6226ee65f228c7971ef485

SHA1
d9f58ebc771a9e12fe2822003d5b37eb6ba8c9c9

SHA256
c5d59dc6141eda5c8c2f7471ea3c139be76fd269fdf05bfe7e2583e1c0afeab9

SHA512
62451f317ddb56c092d075768c33ebde587f88d6a00491e58f2c9905b1f00744298bbed8dbc4528fd13665a5b4b9e7fb30de77b97808ed00549fdfee62cb9812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
aac7c354eaaf7729c023d3470f09dd56

SHA1
dcbb2397a8c4559f9e10f89317d86cd5c1f17e78

SHA256
2b465bfdca42354c1b22b5473e47c07650def7ffbdd4c1a463ed1b6d42d291dd

SHA512
cf3c691fe54030080445abd9a26f77a018a5de3f408ed89b998d0b171fdc801f52fabd8c4caa8be2f3b3cb97a7be50a992bf8ce9de26a59ff0530d0e32e58204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe57bbbe.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6e2e002b77957e3171c4620f5828df95

SHA1
d46ec096512dbec9d4fd4e2e7cb3e7ec1ceea8c5

SHA256
d5aadac4935a2e131c88f2123287ef293bdaaec85baff07c03f71ec1a19967d3

SHA512
eabe6c95118e64ed7629c1476d05ed546f40bb197c1ce169c947604e1c9c91c8283ccb3a5bc93bb55377e57978178f00c22f63bf7aaab0bea9e9950b2c5a4146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d523fa87cc5304414438bd98b1615e99

SHA1
5a613756858012fa9852032a1118f3cdc5d6afd7

SHA256
5ea3190fc73c4391e4e5d01dccd08f3a71003704dee97d7111c33b19b09e34df

SHA512
75cb953c2ec3d2d9a6e0c7fb917af4a990573e3e84dd08a35ae61d2015832bf868705838284137b3753a55bd7156c9ff998816eafc769d6bffc50dfdf00a82c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
88de19bd7d74214259114d8cff58a1a2

SHA1
3cda780ad116eb170cb5c8bad55c1823844f0ccb

SHA256
0eb9ed9ad287962070edd48ca2c3b5ed48da337df0c9d83a23f206072ddeed01

SHA512
084e35377cfec77f5afa89636046f88829e295d9790efcb935028004ef9365ed758b52e7892e564d12d0908329011f20f13f875a84ebdd92c5d03867e73c5c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8ade2f3a82060e6d5b1e97b275213d86

SHA1
a13c13d850addf7c1c1d58c583255f77b40b7834

SHA256
fc73beb5ec396531d7267cd4980e720590ae4c7c34b6bc63bcceef59730d324d

SHA512
51d989a44462ffea680e4bd9b20c46705793236712d11f0400e12caaac3512d662a41b4b49e7e309c8e752dc7738eda080451b74736c6428541196dd7bb8ca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4cbceb674f701730d4c6902f2ede1d76

SHA1
2abef7c14f929884009df3ade72960abdc951416

SHA256
7ea56a509b2b6840eae57afb87d19bfec700a493c0aa1163d10f44c67ba83cb8

SHA512
c02d91c000c7a6b1e1e9af1b0356a41aec4ccb333b91f97ac954fa1ca804fa3f86c58da0a620ec22203753ec9c8fd65faf760284308027c5ad85188c176f2363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bbaf.TMP

Filesize
1KB

MD5
54518d4aaca360fb711d0cda307e180f

SHA1
7021ea7186930dcc7b64f79fb7c00559b7124adf

SHA256
a8fd1c230521da5be49e4f371ae0b1b1cdb7bb49c05aa90e2853ff3fc3c4f3cf

SHA512
7f122dcb5b25bed34789c9771e6d08300b998b1262143c64205b16edca6c07c3f3a40782ba396babfc0ab4346fcd0192e0d241ced68d208af393e35e3f1d4a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
453329f37c8a6be3774f0da9cbca1118

SHA1
917d51fb8e8177a0be2adb47c2b13c7ac844481a

SHA256
e736802703e7181f64fb3d1be8f55d30b0d23e48f132e78f02013cc1eab7fea9

SHA512
63149ab9616b3beadd4f982072c50268e39600e5681a934e563df3d41119c14fffe52353846e0d948c8bf6633124a81330443c3e3d8079a24e6359e8d4303447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ade00eaf78c57ae25e27201f811ebcbb

SHA1
2e1b523cec0dae34048d660536f20df61b800180

SHA256
d10efa68c6f7232d732ecae54e19c72bba63727573f0c9bece8f9aec7c08d08e

SHA512
b921886ba6939e2931ef36b7ed8d8e2b253e23c3d0ccb2e8e2e392a2a10b853a50b9d2e75aaa1cfd6bf58669aa7e876315ea9e67f0457045d5f98c9bb5a397b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e023d2973170b9a9d6c87e790c85ae77

SHA1
818ab5daba71e012c186bfb7758c645f5ed3372c

SHA256
12ae3c070d042a5406f8236d8c8c21f6d56c5f7c7eeaaedfb2cac18742a9986e

SHA512
c75b564bb0188b819a68d51a5c9ac7899ff96653a1cfbc8901edc2d1559fa37805ee3bb3ca96fd6dbcca1eb73c5509593d67cf33704119379c9d09fac03004e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7752efd3dafdc0b4c12c8cb7a6b6608f

SHA1
adb7e1037c6a72cdaec47d54e7cd91ade9d25d0c

SHA256
a2f59a88b482c3af7d1b903f943a442151b80f6c4daa55d793da60a070381cc9

SHA512
60e818c2aecb4ae7af78d429a05d775820e79857130fad6f84534ee7d59d5fe8eb3f204f85f8b648586da8ed8e23ae24169e8eeb59c61a2ed910845f64c98a3b

Download Submit
C:\Users\Admin\Downloads\LeanV2-main.zip

Filesize
33KB

MD5
57e97b6391b8fb92a4f01d893bdbfea4

SHA1
f9771852accaa10d93007e3c67b2df2c1a7db04d

SHA256
a347657ac1164e24a0e4658b657c170604561a4b185a7870cfad68931d5f3ffb

SHA512
31e45bd876d493c772c91ec67d2c8bca03ef26824f6f684b5b438e8ffb4a3d8fa7afc48a9210830f90d087f07c55918dc846bbe2d5b5261a2497bc3399c08872

Download Submit
C:\Users\Admin\Downloads\LeanV2-main\LeanV2-master\Multitool\main.txt

Filesize
1KB

MD5
ba1fda5f75f9c66d0cc0c0b8c765f3b5

SHA1
24910918fea9ce6fea7e5fb8789c0af5269d867a

SHA256
babf25f3a055d02fae10d5b68b909bd60cfbb7772eb726bd7d617c488db221d0

SHA512
d9cc84eabd33bafcf0348f2bd9c421baa1559a0a6aa871c66826645fc01fba19491647b93a54baedc6f3e1da1c88546455d0e99b045837a6464494c2953de025

Download Submit
C:\Users\Admin\Downloads\LeanV2-main\LeanV2-master\READ ME BEFORE ANYTHING.txt

Filesize
182B

MD5
76fb033d1ef7710c37012ba376bc1523

SHA1
c70f21d79ae5d9d750a92b1ec31dff4ea0c52fc6

SHA256
0b08e4d2ac401639dddbe095f0e2659bb8e872c25cab396250402842791cb53f

SHA512
bca1c59f222d45a48a483dd1a63d026feb63b9d3d280d78ddbea9e43ef96243d8f60250c151bcc0b24533eadbc6ef62fe506c18424338847f5d600f25854de9f

Download Submit
C:\Users\Admin\Downloads\LeanV2-main\LeanV2-master\src\main.txt

Filesize
1KB

MD5
db5386b5f9edfc7500d0508fc49a9a59

SHA1
4c79b803e2090d86dd38c7671b1a9b5322b3cf3a

SHA256
ddfbeb221f72eaa4c8e2e4dcdf604307dcfd0d9168c0837a10110cd809f82060

SHA512
a5c6435242930285e41e98e7284fdb0708f654b849e697bd10e8ad12631d5e83e647b775a1bf6d61b9a2958d4969c475055ff3071affcefceed3234b92d69634

Download Submit