ammyyadmin | hxxps://samples[.]vx-underground[.]org/Samples/ATM%20Malware/ATM%20Malware/4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc[.]zip[.]7z

Analysis

max time kernel
89s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 11:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/ATM%20Malware/ATM%20Malware/4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip.7z

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023340-157.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
2360	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Service\msgdi.exe	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe
File created	C:\Program Files\Common Files\Service\service.exe	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe
File created	C:\Program Files\Common Files\Service\sconfigng.dat	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3008	msedge.exe
3008	msedge.exe
3352	identity_helper.exe
3352	identity_helper.exe
4944	msedge.exe
4944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	5960	7zG.exe
Token: 35	5960	7zG.exe
Token: SeSecurityPrivilege	5960	7zG.exe
Token: SeSecurityPrivilege	5960	7zG.exe
Token: SeRestorePrivilege	5736	7zG.exe
Token: 35	5736	7zG.exe
Token: SeSecurityPrivilege	5736	7zG.exe
Token: SeSecurityPrivilege	5736	7zG.exe
Token: SeRestorePrivilege	2360	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe
Token: SeBackupPrivilege	2360	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe
Token: SeShutdownPrivilege	2360	4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
5960	7zG.exe
5736	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 668	3008	msedge.exe	91
PID 3008 wrote to memory of 668	3008	msedge.exe	91
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 4508	3008	msedge.exe	92
PID 3008 wrote to memory of 3576	3008	msedge.exe	93
PID 3008 wrote to memory of 3576	3008	msedge.exe	93
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94
PID 3008 wrote to memory of 400	3008	msedge.exe	94

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/Samples/ATM%20Malware/ATM%20Malware/4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip.7z
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffa068b46f8,0x7ffa068b4708,0x7ffa068b4718
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,1481110509264073316,11022047160106909146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5388

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip\" -ad -an -ai#7zMap1317:196:7zEvent27293
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc\" -ad -an -ai#7zMap8418:324:7zEvent26792
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5736

C:\Users\Admin\Desktop\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe
"C:\Users\Admin\Desktop\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3916055 /state1:0x41c64e6d
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
194B

MD5
c753a51b344f5e0b7614e6b335efce1a

SHA1
ecab6c44f7f65a04b594d3c1f5ccc151e1fbbea5

SHA256
b9be628c5d1925240917e40326ded59765a86dfc8580b59d2e51f9925f3fc494

SHA512
c579bb93537ef2b84bf17b99354eaf60da7719432451d916f15084675ab7fa9c5b24c8e370108b0fec1244d2a8ff44e1ace16fca9abf18c5a12f91f8801a68c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00a25364a0f4f9e2320e7b98b93ab9b7

SHA1
3d6f74bc2161935bca995e55801250c1fe5c5fa0

SHA256
d9c99f6c0d02679e7bbf05fe336445f35cc98536dcd2d7e7d6f88c127fd42cad

SHA512
5bf76c32d22a2ef68bd45a79ef91d0b149cb71733e1a9f7400c0bf8a89570e91cbf83fd5794b9ed42bf9b09bd25ca061469f06df29ace57dd9291efb24413d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e69127246d6472acafb02bad0bc0114

SHA1
fc3c91989b2232fb32ad59080334fe60274a1064

SHA256
86126c2512624f423c68406a8f3bf863b8060cbf5618035d54dd9e937d1d77d6

SHA512
312c597423bf06065e006cf2f6945eef480d9027d15c4149912c7d1c28e830045399d5285568c592e3a96fbacea68473ff3a1536ff617e46679616c6fea953ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae39ab0030afe57602dec1ac42cfe6d7

SHA1
6218c672e43136b02fac96d11b4b2c86a80a2091

SHA256
1c3b030ba9cedd906e889f575b9d0263555fadce26973067723f6f4f266ce101

SHA512
19516fe115e948a524722b95a15daa05e088e966069eb990d10d1e26677382295bed8f63efdc7ec99706ca703469ea1420b24708f7820e905f68f1115189f671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff5a68d752a9e1131f462647f416e8fd

SHA1
6b687cc16cf7e52844d90322dc4794467ac7ddde

SHA256
d6d2d3136397c91a20b09ff75c1b115aad5bc8ed5d5f7855a11898ba58d5ca5b

SHA512
ca248015bc66d7c177f321d8ba3f37dd7aa3084473370deb949bfcd03bde8bcbe493b671941489626190ed789e84eccb14ccd32df153e980d5c380070456252b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e54bdbb98a4b02b3bb9c897ceb28464

SHA1
d0bd2cab7c4bb7e3e29987a2b68ab0a712cbdeaa

SHA256
8a950d536deca6ffa9a91c5ea6a819446bb5177c2fbbd4e1a978afa110edbc57

SHA512
14004ea795b4bde28d7dc6c46c5b421977c082c71a96055ad252f92afd4d44e58f0461ade5de07f8bb9a463810ec62fdf09507eb3cf71c1c6728b7e1ed012571

Download Submit
C:\Users\Admin\Desktop\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.exe

Filesize
1.3MB

MD5
795ff3e400d08e83de67d23dfc4f0201

SHA1
1f087445edee192d810d383d182c8350e45008ae

SHA256
4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc

SHA512
0f32519ee37c10d8327338f16d1675ec9d169b929e2af111d2c6c2c03d3d27db175bdc3b290f9d2cdc7546d411d991a70667ef39b505432e050f60af91661c08

Download Submit
C:\Users\Admin\Desktop\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip

Filesize
747KB

MD5
ff8a9ed80f397f3562b38b326b92b02b

SHA1
73abd7c86550a222f44cc5228943194828ded7a1

SHA256
b1e0f38614cc54dde9ee579ca2e46ed6f48784fc4e1435415197095f6ea6c04e

SHA512
6ae3d45e50056472822a869dcf1a0200debda322fb5ebe7154ce45a365493a74e7c95c126612d4d54dae40095e5d39c4de558237dd8e12256e5bc14186baf63c

Download Submit
C:\Users\Admin\Downloads\4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc.zip.7z

Filesize
746KB

MD5
4e6e25d391f95f20189deda6bb4ba949

SHA1
17369b7ce576948293b7afa693d050f52df1d261

SHA256
08610673d9d55f2ba544fa40841225ebaffecf7e6630e4c9d4efd8c0ffe4c0dd

SHA512
d1804642957381c6a1e0353b38d55d18fc6d50e805bb5fb3f736cc1d6a133a255e57aaea162b615e3de1823b857650b1a11962cd8a1a1451f2f0be9b824bcb63

Download Submit