Overview

overview

10

Static

static

10

AAservices.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2025, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AAservices.exe

  • Size

    5.2MB

  • MD5

    b6d4cf90524ad23f23b424d2fc026301

  • SHA1

    4350535f3206ea439d2d320b06eaa0ab9141406e

  • SHA256

    519bcced29022f139097cc2c56c9e3489329bb63017f202dd15b5234c2d76d0f

  • SHA512

    6ccfd3376c47d1dc0615ce54adef257b69398b61c8cd9ec89044150d0c027eb6ee54e8955a34b953b849f935265f846583e30ca414e493f397cbb94446540910

  • SSDEEP

    98304:5v6FYeZ3vFpkRmGWoTxi0wGGzBjryX82uypSb9ndo9JCmVq2q:QFYeZ3vFpkRRdwB3ys2uypSZ4JCEq2q

Score
10/10
orcusstormkittydefense_evasiondiscoveryexecutionratspywarestealer

Malware Config

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Orcurs Rat Executable 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 8 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AAservices.exe
    "C:\Users\Admin\AppData\Local\Temp\AAservices.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5876
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color F0
      2⤵
        PID:2304
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\AAservices.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5208
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\AAservices.exe" MD5
          3⤵
            PID:2288
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:1428
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:5348
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4432
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im HTTPDebuggerUI.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5564
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4648
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im HTTPDebuggerSvc.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4680
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4712
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Ida64.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4836
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5064
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im OllyDbg.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1256
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4672
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Dbg64.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1552
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im Dbg32.exe
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1404
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4784
              • C:\Windows\system32\sc.exe
                sc stop HTTPDebuggerPro
                3⤵
                • Launches sc.exe
                PID:4860
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4812
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4888
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4928
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4952
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pub-df9b8adf344d43928bcf03e42ff0c130.r2.dev/AAservices.exe
              2⤵
              • Drops file in Program Files directory
              • Checks processor information in registry
              • Enumerates system info in registry
              • Modifies data under HKEY_USERS
              • Modifies registry class
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:4984
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ffb5a33f208,0x7ffb5a33f214,0x7ffb5a33f220
                3⤵
                  PID:1064
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1896,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
                  3⤵
                  • Downloads MZ/PE file
                  PID:892
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
                  3⤵
                    PID:3792
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=3132 /prefetch:8
                    3⤵
                      PID:2932
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3496,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
                      3⤵
                        PID:3168
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
                        3⤵
                          PID:2764
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5028,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
                          3⤵
                            PID:4760
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5052,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
                            3⤵
                              PID:1532
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5564,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
                              3⤵
                                PID:5736
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5652,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:1
                                3⤵
                                  PID:6140
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5932,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
                                  3⤵
                                    PID:5196
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5928,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:8
                                    3⤵
                                      PID:5236
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5996,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
                                      3⤵
                                        PID:6084
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5996,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
                                        3⤵
                                          PID:3852
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6580,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:8
                                          3⤵
                                            PID:2984
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3948,i,9975893447203774956,15567889567837839439,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8
                                            3⤵
                                              PID:920
                                        • C:\Windows\system32\AUDIODG.EXE
                                          C:\Windows\system32\AUDIODG.EXE 0x3fc 0x244
                                          1⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4612
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                          1⤵
                                            PID:2800
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                            1⤵
                                              PID:5380
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                                2⤵
                                                  PID:5372

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                280B

                                                MD5

                                                65044109d1beb8ed8d59560642cbc519

                                                SHA1

                                                0084485b0aa26069232fab51ee603682e8edfd17

                                                SHA256

                                                a1e0b448218678b30356cbbe4092ea091435e7450822a9748361b6e8b198962d

                                                SHA512

                                                96dcc68fe92f98c4329a8335cfffdb0849a52562431045ccc42076bda0abf3842491303fb669246bfd04e64113688d3f90000a09571dd76ff84b52e34e45f9b6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                                Filesize

                                                2B

                                                MD5

                                                99914b932bd37a50b983c5e7c90ae93b

                                                SHA1

                                                bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                SHA256

                                                44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                SHA512

                                                27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
                                                Filesize

                                                107KB

                                                MD5

                                                40e2018187b61af5be8caf035fb72882

                                                SHA1

                                                72a0b7bcb454b6b727bf90da35879b3e9a70621e

                                                SHA256

                                                b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

                                                SHA512

                                                a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                                Filesize

                                                2B

                                                MD5

                                                d751713988987e9331980363e24189ce

                                                SHA1

                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                SHA256

                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                SHA512

                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
                                                Filesize

                                                40B

                                                MD5

                                                20d4b8fa017a12a108c87f540836e250

                                                SHA1

                                                1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                SHA256

                                                6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                SHA512

                                                507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                16KB

                                                MD5

                                                fe6185c957d71470a06a1b3bd7ed505e

                                                SHA1

                                                30400c25a6842d1355f9dc0f23c8549eab8ca624

                                                SHA256

                                                f1268ee843b8f8be51613b6ed04a2b0e7ffba4448378ca872c886efd73f606bb

                                                SHA512

                                                27d0a8e1ac06534249499309ef6636b44e70796e0b6808c5a912f72023b79fd8a90ea8f37b3a7bb6e2dbde1043158557f025915c3fe808f7d2b9ce1a65e1c573

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                Filesize

                                                36KB

                                                MD5

                                                25c426290152276cb78ff4ed10f4bf83

                                                SHA1

                                                946efedaa225a3abae51f972cdb72664ca77ddc1

                                                SHA256

                                                38cc99fd4c2d4a647e31194280699851a43904567052209194354d0ddcb86009

                                                SHA512

                                                831937ffc6f738d13dba79f3a961954bea9269c1b98633f812bcf0c6bb549c455fd1ee13004bd532d4a2d61a26443fc988cc67dec88fd2d1ebc563ae4d37cbd6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
                                                Filesize

                                                22KB

                                                MD5

                                                654e18086585aeca24b6d84384d1eccf

                                                SHA1

                                                0ed3c019fef45ccfc7e4e5d03c7e092a4221384b

                                                SHA256

                                                13c097aac6f5af2e9e0548e283cca8a9f2cf0c2a7b62cfac64293d289ff04dab

                                                SHA512

                                                0112ce5115fe62fcec9844bd4ddf4bbf816628a18aae89544f703fad1d1e05e4ac82b2615c40104a2096b036676ac9e5df89182653afbcafbee55e715fab9906

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                40KB

                                                MD5

                                                cf96f9b8040393c6b8e3fc6fa134fd0a

                                                SHA1

                                                7b389697aaac7d1862e6ea5334d63954773c2d24

                                                SHA256

                                                a0517e343cc6fe28b47c54824e477e08f3f8072947a0f58170042eb495bea31d

                                                SHA512

                                                2daf03a21f0e4ed748b200e8050a644290677077b1a3f9463ce987bc78fba799bf803d7c25d43bd371ae9109042ab4243fb9d9af01d2b78231214d40254a1619

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                41KB

                                                MD5

                                                13b19f74270c183c86ae18b55aa8c94a

                                                SHA1

                                                e2e21c8e22b67e7f076e73d862ac43185cff89b5

                                                SHA256

                                                11c891a5887bad1f483f6526e4025723f39237feeb46ea1638370a0de61cba5b

                                                SHA512

                                                9bab39a937e30bc4bde8c45bae4f7366db629260288921b4dfcd505f116eb1dd019d2294dfaaaaa12c4eea77181b1536d32ad9c7183e4f85d318ece9d75ab7db

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                50KB

                                                MD5

                                                eaf878a089f5cd5341a99a6b2f2c4a02

                                                SHA1

                                                ef2bf0c1e0ca37611549bfecce9e0ca532d57157

                                                SHA256

                                                5b6f27743005642127d3fdd7e798f0638948463732661b840ecac5a86991c490

                                                SHA512

                                                185292e66fc988a65f0c85f694325f7f744ead15ada7b67c64714ea6669f51372ba829ec606092b676d8e87ffee9c5215f6f50e4561ed334426c330da143fa4b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
                                                Filesize

                                                152KB

                                                MD5

                                                dd9bf8448d3ddcfd067967f01e8bf6d7

                                                SHA1

                                                d7829475b2bd6a3baa8fabfaf39af57c6439b35e

                                                SHA256

                                                fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

                                                SHA512

                                                65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
                                                Filesize

                                                2KB

                                                MD5

                                                b3fb826df907135d6ba1e003e29202c0

                                                SHA1

                                                e9bc08c5c2a92f9ae743acfa34130f7cf4f90506

                                                SHA256

                                                912b7500d1d46c0a7a4ea4aa6fdd93ea970a038944be89da110543789cd1aee8

                                                SHA512

                                                31bd9aced737d9dfdc13dc0bca04ca76e1e51bdbaf42c790e9b1a7c5ecd702aceded09a60e634a4955046d580fc9bab3eda9e5ca1b65807631cec2ed1b50725a

                                                Download Submit

                                              • C:\Users\Admin\Downloads\AAservices.exe.crdownload
                                                Filesize

                                                8.5MB

                                                MD5

                                                a5afaac697fab2c766051607ae273134

                                                SHA1

                                                4618047e01c29c2b2fc9c7e217fdbfd290dba0d6

                                                SHA256

                                                291977390ed9da8791a2395429c6040ba437de103c6215d80052d583221db9d2

                                                SHA512

                                                8d1bd9173e4f1ebc464c19dfd44736773a36301bc3f4af57c9c8dd228c47b5d53a97e09465380edb300bb4c4b19bd4883ab7bd3129ba2d3310b4371ef22804c7

                                                Download Submit