Malware Analysis Report

2025-01-22 13:59

Sample ID 240304-y82n7acd7z
Target Dbug.rar
SHA256 854e1c26121698ba6b70584de483d601fe52d508195765618cb136d1da56141d
Tags
njrat xworm hacked evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

854e1c26121698ba6b70584de483d601fe52d508195765618cb136d1da56141d

Threat Level: Known bad

The file Dbug.rar was found to be: Known bad.

Malicious Activity Summary

njrat xworm hacked evasion persistence rat trojan upx

Detect Xworm Payload

Xworm

njRAT/Bladabindi

Sets file to hidden

UPX packed file

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Modifies registry class

Creates scheduled task(s)

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 20:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 20:28

Reported

2024-03-04 20:31

Platform

win7-20240221-en

Max time kernel

127s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

njRAT/Bladabindi

trojan njrat

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\ProgramData\Fluxus V7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\svchost\$77svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\ProgramData\svchоst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" C:\ProgramData\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\Fluxus V7.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Cheat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Fluxus V7.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svchоst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svchоst.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1244 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1244 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1508 wrote to memory of 2416 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Windows\system32\schtasks.exe
PID 1508 wrote to memory of 2416 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Windows\system32\schtasks.exe
PID 1508 wrote to memory of 2416 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Windows\system32\schtasks.exe
PID 1508 wrote to memory of 1632 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
PID 1508 wrote to memory of 1632 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
PID 1508 wrote to memory of 1632 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
PID 2416 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2416 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2416 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2416 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 2416 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 2416 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 1632 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
PID 1632 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
PID 1632 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
PID 1632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\sisk.exe
PID 1632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\sisk.exe
PID 1632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\sisk.exe
PID 2832 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\XClient.exe
PID 2832 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\XClient.exe
PID 2832 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\XClient.exe
PID 2832 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 2832 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 2832 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 2832 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 2568 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2568 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2568 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2832 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Built.exe
PID 2832 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Built.exe
PID 2832 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Built.exe
PID 2568 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 2568 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 2568 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 2832 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 2832 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 2832 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 2832 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 1860 wrote to memory of 1528 N/A C:\ProgramData\Built.exe C:\ProgramData\Built.exe
PID 1860 wrote to memory of 1528 N/A C:\ProgramData\Built.exe C:\ProgramData\Built.exe
PID 1860 wrote to memory of 1528 N/A C:\ProgramData\Built.exe C:\ProgramData\Built.exe
PID 1232 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 1232 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 1232 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 1232 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Windows\system32\cmd.exe
PID 1232 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 1080 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 1080 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 1080 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 1080 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 1080 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 756 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 756 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 756 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 756 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 756 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 756 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 1788 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe
PID 1788 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe C:\Windows\System32\attrib.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dbug.rar"

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

"C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"

C:\Users\Admin\AppData\Local\Temp\sisk.exe

"C:\Users\Admin\AppData\Local\Temp\sisk.exe"

C:\ProgramData\XClient.exe

"C:\ProgramData\XClient.exe"

C:\ProgramData\Cheat.exe

"C:\ProgramData\Cheat.exe"

C:\ProgramData\Built.exe

"C:\ProgramData\Built.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\ProgramData\Fluxus V7.exe

"C:\ProgramData\Fluxus V7.exe"

C:\ProgramData\Built.exe

"C:\ProgramData\Built.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN ssbobr2.0.exe

C:\Users\Admin\AppData\Local\Temp\Windows.exe

"C:\Users\Admin\AppData\Local\Temp\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 5

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN ssbobr2.0.exe

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BC119519-F183-4A91-AE3B-AAB06C15D5F5} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\svchost\$77svchost.exe

"C:\Users\Admin\svchost\$77svchost.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\ProgramData\svchоst.exe

C:\ProgramData\svchоst.exe

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\ProgramData\svchоst.exe

C:\ProgramData\svchоst.exe

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 epsilonbot.xyz udp
US 8.8.8.8:53 points-detect.gl.at.ply.gg udp
US 147.185.221.18:35608 points-detect.gl.at.ply.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 greater-questionnaire.gl.at.ply.gg udp
US 8.8.8.8:53 api.telegram.org udp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.18:35608 points-detect.gl.at.ply.gg tcp
US 8.8.8.8:53 artist-shared.gl.at.ply.gg udp
US 147.185.221.18:34511 artist-shared.gl.at.ply.gg tcp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
US 8.8.8.8:53 stories-boulevard.gl.at.ply.gg udp
US 147.185.221.18:35608 stories-boulevard.gl.at.ply.gg tcp
US 147.185.221.18:34511 stories-boulevard.gl.at.ply.gg tcp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
US 147.185.221.18:35608 stories-boulevard.gl.at.ply.gg tcp
N/A 127.0.0.1:35608 tcp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
US 147.185.221.18:34511 stories-boulevard.gl.at.ply.gg tcp
US 147.185.221.18:35608 stories-boulevard.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

MD5 3e8b1f158ca26738d0338026b1b78eea
SHA1 e7eb5c431fc856ad91fa3cad2f9a4625a5f3fe54
SHA256 f16174231d01bfa550623f8a04c8ae2cbe8d0e7122e5546d1d6cfd136ee570a6
SHA512 f62ab87964429a437f9369d50463ae4401674128a8c88f3798b5c217c36297250c7f94ffa0ce4e84d0242c0c8dc83603caff949cc4124e0bd9df7f5332bb98ea

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

MD5 6fc7ed50e81321274973ca99b7c1652a
SHA1 3afb3f7fb67df24115d744d97e75d182c738484e
SHA256 2b05580bb02270889f49598e71e472737a5e14d5ee68a8460ddc43c337d019ba
SHA512 729fda274d4fb0692c9d62ce32d4712853878536cce8eed75458509a28ba3d9791a37abddfd03e72494c1d45353b1c104c525130d4e323cf4fc62c581eb756a9

memory/1508-140-0x0000000000220000-0x00000000010AA000-memory.dmp

memory/1508-141-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1508-142-0x000000001C1B0000-0x000000001C230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 59142733b84a3cac99f8cc5213feecba
SHA1 d778592509ae3deb22fc926e6178ffbe87b231c3
SHA256 21bbdb4d35ebdc7245717babbfefc3461e464ae8572bc00694bddea89dab9d18
SHA512 938a81e337d8af75906630df37a957c525c88de837e021025180d23a3ea937ac3b94f4bb3b843b0d0f81c8372e6484188d9b13868b78051e2dd3905b52075b42

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 fb9f49732473d1b51fdfef3fdb5c92aa
SHA1 12e64609a9bf065d60ceb36f5a21fc3ae9aadbb3
SHA256 959f07aa2256586ede8d0df200c2f9e62d4f78045428d0c37151f75341dda6c7
SHA512 3411479e9fb89475bb442a62fbd7c62f5a1f49ff1c74b2d92fcfbc2f4cf825c5fb994acb3818c05d0a56be86c61b6f290b14c4c9b87c2a65c4f7c6a3b5ed855b

memory/2416-151-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2416-148-0x00000000012B0000-0x00000000015CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

MD5 8d6d2bbf937cd6bd3149035a5cc80171
SHA1 9d46d8a12868a43802bb5532f50c94f34c92ae4f
SHA256 78af2bdee2c64692763f5f5bca4f809f03719efb21a43f89fe0dc3322fea2bfd
SHA512 c2cccbb7049ff669bd11e78ca97b57ba8640e61ee86802f8209b10c158d04860eaf649a8843a736d0a886238e6482222abda2cc0fb2fc58b225d140f546c2669

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

MD5 bd0e3897e1485769a046e598cacc18bc
SHA1 21d4005d7d5415fedabdb9452b51f6bd472da5ed
SHA256 54db0aae2a0f78b2e4dcb38ab8c1c31d4d007cf94a65f830e1910779e1513699
SHA512 6f241061162b15663d845d5e860eb3f5e555d009c516054845e5db031f02d5eb6903527db350889ac0540d162e462c5a7df8689f03282c5c72fb14742db69700

memory/1632-155-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1632-156-0x0000000000900000-0x0000000001462000-memory.dmp

memory/1508-157-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1632-158-0x000000001BBD0000-0x000000001BC50000-memory.dmp

memory/2568-169-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1080-168-0x000000013FCD0000-0x000000013FCDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

MD5 701df65121e1977fdf160bd9cfb9bb6a
SHA1 5fbbddbad5e0ca509b60134f78188f255bf6b74e
SHA256 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1
SHA512 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 84e638e4cebeec9fe2df4f33d90423cb
SHA1 901504b1d19022dd4020b30a73e9623e40142435
SHA256 2d876422d551eac5189bdfbea1d01b2a7dcbb4f1cca1963f3330ae5255fca490
SHA512 28c09995b8bc5b0357813c056b383a804f41eb9c0af1b32835663e283cb0b1157146a819b32e7992d249f5f4eb94db49ecd598bbfd26efaa80e45eac9275ff08

memory/1080-170-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2416-171-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sisk.exe

MD5 ab1bbb41c6c90c3b6d93a9be5e352995
SHA1 70cd2de832d76014d7f50ee1a16e89fba701b659
SHA256 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45
SHA512 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2

memory/2712-181-0x0000000000C30000-0x0000000000C48000-memory.dmp

memory/2832-180-0x0000000000270000-0x0000000000DDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

MD5 174b9cff9c8a30ffd0c9f606de004363
SHA1 6360618e3dbe567e466311d54d6ed57abb9cb4b8
SHA256 5de5a904047e6f79833f0368401d4ae6029ca302590b648ad2fb4656e5cb33d9
SHA512 a5887a61f88c1ffa2c83dea799879cd12786364f3208215d2ccdbba48ffbfed67bf009fb5ec886fde61d6e9cb9b3bcfe9852d92cd4f9857d59738aa1690e7bee

C:\ProgramData\Cheat.exe

MD5 a495f7df4cdb2c9febd69c56ff6563bc
SHA1 f95944cab464e1d89b671be7ec345d44e9bf8a03
SHA256 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052
SHA512 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7

memory/1632-188-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2832-195-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2712-198-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

C:\ProgramData\Built.exe

MD5 bd7438f4803906c32d1f2501290a1049
SHA1 1c5dc4093bed4360e57852e8ac7f7ebf37c61000
SHA256 e82731dc7bae6b38ac9fb6fcad946c910ab121fc91d4a2eaf1b8feac3e1f847b
SHA512 42f2eff1f9e64027b5892361f3dc767062f0981b05518b8847c59336c2d67c92a56a47173bc5ebae20739a1865152d964cea7cc0040c4ebe29d5cc80dc8773e8

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Fluxus V7.exe

MD5 f27cd6031291f214be6fc4a8176603c6
SHA1 23b2b6f423de0f28255e62284b07fdcba22a009a
SHA256 2a3be9316ed080310f55cea1e730da4b891b3ec7a1dde3705dea587fad55c6f0
SHA512 3dce6784c320824bdf6c12c4038a2a6cc538005f8dd123ca36112791962a7088258def1cf82dd8590553ca7c18f1ed33d56cbf8fb463913ff19003114ebcd6c7

memory/2832-219-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/832-212-0x0000000000920000-0x0000000000936000-memory.dmp

\ProgramData\Built.exe

MD5 1bc15f450b87869bf0be16eefe81bd01
SHA1 46e654a56bfb7c95099bcba8a998ca6da6916575
SHA256 c0a71bc36c5f9138ba43aa803b3b4fa0255b2cc31f88d84a8ad95fe081167510
SHA512 52d947a67be0a4337d825c641bda5a64d7b6945b67d8cbb6477428c0e2c8d17f2c26a8056b8265e2c8db687357d609fb2ab51bdd0bee899fa2abe5566cd4c901

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 f28e4f84312c3a8e008d75a15c7a49d9
SHA1 f9d6d5f6227cbb45ed4846ee1154f9eeb796a8e5
SHA256 8fefac5742c0e1671b877f9d851dfba9652ebf9d22c444bf2747f5d7f9d9e916
SHA512 aa21f098558f32f138a5d74f1a37cc83dfede02f408d7b6b26f79c04780e1a13769882c613d63ea03a98f86594e2437b8a9a11da924a5369b8d9d10c0d704ead

memory/2104-193-0x00000000012F0000-0x0000000001300000-memory.dmp

C:\ProgramData\XClient.exe

MD5 9ecb9d48c8da1e49862a32f5d32e3c9b
SHA1 20902b0b25916dab87b0a373e6fa28ce26feed49
SHA256 fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff
SHA512 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

MD5 31ef4957b664bcd6a59f53f053b6bdac
SHA1 7ddea191f5a3dcfda565dfabdfc47a14c3d585cf
SHA256 00996da1f8e29616666b7d7be7f00b2594823d01058b5bf8171af976d982bf3e
SHA512 f5d16fbcada0ef21b4ab606154433603802c68fef8d985c913146e8ae9c49e9d76b84e3427f645d4dab59889ea7b3769327ff9cd00cb03d08b463489a562ace7

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 58c5df5cfc1820f91b41baf966410070
SHA1 20e6ce27ca19688d62a6923e2a26e6d9008cb918
SHA256 dbd1955a8eca3841b55d3d353ec5fded2ebb61ba97fa5709819c3eba5ba12fc1
SHA512 2675698ab6a8f4c0a71814f2092a64ef548206bf9f378035bfbe2ed3fc59e1a9c33373ecceec6aa592551fdd258d22b7917d9afc875802b410041f5884c1fe03

memory/1232-236-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1788-246-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1232-247-0x000000001AF10000-0x000000001AF90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 f1c9e1199e9a1bbd9c708f488dd1e747
SHA1 32bdd04a7e3a08fd0a2312cecfaf2eb5d2f5c17c
SHA256 9c75af305c1c0711c420b4c4c35b14d21de9940b9c7360f9b24830a6e0884724
SHA512 b76b0eceb4c8f11c67df7a2f29434e89220deb88eaee06a909cc356c69d9b34e5a65beefbde75294a90bfb786a43866b169afa8768c774dbc2b853b2506ffab8

memory/2104-251-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/756-249-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2568-244-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2108-243-0x0000000000CD0000-0x00000000010C4000-memory.dmp

memory/1080-241-0x0000000000900000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI18602\python311.dll

MD5 4eb02581f8a1d4faa3ee1fbc7029f025
SHA1 8ed8eaff7c90d61a5b5ae5964de7ff77cbc1c253
SHA256 1b3a030f15185e549e28ca03365b622d3931348281cc90b699f19433f21dc4d0
SHA512 3562886da464260fe82c0abd6bca9fb868844735a4a884177119fc37bb6ad110a1c69e5aaf3976112fc99ceebf30e137cea6e8560f264131f393581d8c847b43

C:\ProgramData\Built.exe

MD5 3c2c83fd308f708efadad3baa1e63a9e
SHA1 6c4b07299a68a6a167cdb1e0742ae1fc96b437f8
SHA256 a626a14d20a9a2f855122666ab5240a1c3b448e3e33d55f90fa3a7dea8ef562c
SHA512 645d3f0903b32e3fbc18a26286b92524cf153c499d544718014fbe3e09467bf3c8ec6ef7e106a41de7722ba6466b9c9eaf99290324f42d6ca61756d8aba901ff

C:\ProgramData\Fluxus V7.exe

MD5 b4f9cbca656fd34c4dbb1d706a7f1ad3
SHA1 2b95d88a80ccb619b581c420f7435c660cfbb28e
SHA256 1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d
SHA512 5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

memory/832-234-0x0000000074730000-0x0000000074E1E000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI18602\python311.dll

MD5 b33897b3b37b892fb4652068a3e09941
SHA1 966fee64cccc97e75a0c6116492c907641c2d11b
SHA256 c363ebae0ed6311740a3d20ae875678b0fd8f1b72930da559c9706f9a3d6d190
SHA512 e73e52ee5924d64c33fe0642b0ca2174ca4ce65d6a12cb43997a33bf4279291f1f25e0ea8203f1884ee6814491b010050ea0f737f88cd855e37218c4f659dcdb

memory/2804-257-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1788-258-0x000000001BC10000-0x000000001BC90000-memory.dmp

memory/2108-255-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/756-259-0x000000001ABB0000-0x000000001AC30000-memory.dmp

memory/2584-260-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2616-261-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1232-262-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1528-263-0x000007FEF28B0000-0x000007FEF2E9E000-memory.dmp

memory/2616-268-0x000000001B610000-0x000000001B690000-memory.dmp

memory/2804-265-0x00000000021E0000-0x0000000002260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 ac89f261546e4af3ee01ddb559b690c1
SHA1 c00571745c7cc117b3927f2b2d8019b61363d876
SHA256 ae991e68547d8e6a7301bf81e152a8c1a64f3a044c5163b1dc610ecbaddee213
SHA512 8738226394b3bad1fba8b956e473057112c37523bcb81eaf8de9ed070e55df5725157c1770ba047551e6f53e05755c871de812fa96fd358be3f689d361d5284c

memory/756-271-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2804-264-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/832-272-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/2520-274-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2848-277-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2584-276-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/832-280-0x00000000022D0000-0x0000000002310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 26fed2d3ce367c6eefa599eecd88c678
SHA1 5dea21ebdf813a400cadb4e43a52de8fe2d07117
SHA256 b9d86dc320a26155acf3a6a13763eb9c8041e66736790e7a53255b6bd35821e6
SHA512 1ed6c02ff43914bd829b89a0bc803f5d19b88164e864174144721fe16fdad0cc0dabaa1bb6351f74781327b07c197b28da11a48696cee7b479fb521222b890fe

memory/832-273-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/2192-288-0x00000000010A0000-0x00000000010B6000-memory.dmp

memory/2520-291-0x0000000000520000-0x00000000005A0000-memory.dmp

memory/2108-290-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/2712-294-0x000000001B020000-0x000000001B0A0000-memory.dmp

memory/2616-295-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2664-302-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1644-305-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 b698ebe6b0371dd472ee5cbdc00dd05c
SHA1 cf00b809945010b9cb5b27a8499c2aba419cad9a
SHA256 ace79b94883a25297b718a91eed8e04e495e03a23317e816d82fdc0ef4e0a557
SHA512 f9b27d8f4d3937e648536a77f590b78ca1ef6f61d57dd591e7cfd669c5c6c7253effede365ed788e26e928ab4f5a9cac1831e34cb6dd50b53da910d8e20f7a80

memory/2520-306-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1992-307-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2848-303-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1992-301-0x0000000000E40000-0x0000000000EC0000-memory.dmp

memory/2848-298-0x00000000006B0000-0x0000000000730000-memory.dmp

memory/832-297-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2000-293-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/1992-292-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2192-289-0x0000000074730000-0x0000000074E1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 8b66a8d32d363d32953dddd62e80ca21
SHA1 12ded8178e85560234eeb13e43999f7c7ee43703
SHA256 27f82ec5a026b0208cdba8783f02a46ff69610720d99b28dd7c6a2bf470eac66
SHA512 c651471808582761aefd49217836cfc566ecba130e24fed986bd8f29eb9d200693e136c84d84b92983d9d9d3a73cc433e94afe726706c9e49f9fb39deff083f0

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 f2913c0e170710b80e477e80e98ab51f
SHA1 98e7beb1d5582dc922cd6d87d72fb6b2f2905a7d
SHA256 011575d41de92fdb3bbbde87b55e04972fdfcc754456f67df9862f3281aa6e9f
SHA512 6bb3e5adb12d410b093a531544b4c2ba3276c1bb0b93b904d14f395076172b30f3c49e694793a894ae44e25fb5edb82aafa6555703db554a5c80ca28de9557db

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 a36984e4939c4e92eb6706864e509d5c
SHA1 fda70f03c3796c21bd4863c46c65c9799f105688
SHA256 afd9b8d2336f8281ddbeae0dfb3765544648b9f2e5cc41763b44f0a28a11fbab
SHA512 7048ee9f9fde3f2995baef2921760eea257483badecd586f7ffdf5d6960b8b63521c1b328d3936d43cb370b0d699b42f0ce972dc613b84c27985ef7e1729e4c1

C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp.bat

MD5 974f6e093079aed0879066f3cd2ce100
SHA1 5876790f028bcf69a2858a7147c65bc2ef9d08df
SHA256 585e0ae8b39f92012ca1f23d12b7a3e7d84434c6b402adc780aeaf34ce21244c
SHA512 09e70f1a01229f738b688e50fb6b21a7d1802ccf309c7307a11d09f15a7de1e35d6f72b5a97209e82ca6d54bc0e0c13da9244a38db55f6aad1eb208f2990571c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUYJFY6DR3WSJYTGR2HV.temp

MD5 5b1a92a47e0904eaca60ac553db43c05
SHA1 82e685ceb9ceea3e8ee2136b27b25fdf6c6dd97d
SHA256 bfc10422dba32e3d4a5271ffba7822b77494fcfee367e7ac1ab36ccddebeffc2
SHA512 fdda1c7c1a7b233afa9a7ded27538371c9c11765cdb882bf45ef66851bd762aeb76171c33cebcd5ec434f84d2fec183d72bf031c6d34ffc31569718e04b003cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5049.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 20:28

Reported

2024-03-04 20:31

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

njRAT/Bladabindi

trojan njrat

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\ProgramData\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\ProgramData\Cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\ProgramData\Fluxus V7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\ProgramData\Built.exe N/A
N/A N/A C:\ProgramData\Fluxus V7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\svchost\$77svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" C:\ProgramData\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svchost\\$77svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A
N/A N/A C:\ProgramData\Cheat.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Cheat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Fluxus V7.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 232 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4708 wrote to memory of 2076 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 4708 wrote to memory of 2076 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 4708 wrote to memory of 1268 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
PID 4708 wrote to memory of 1268 N/A C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
PID 2076 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2076 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 2076 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 2076 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 1268 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
PID 1268 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
PID 1268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\sisk.exe
PID 1268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe C:\Users\Admin\AppData\Local\Temp\sisk.exe
PID 4404 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\XClient.exe
PID 4404 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\XClient.exe
PID 4404 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 4404 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 4404 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Cheat.exe
PID 4404 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Built.exe
PID 4404 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Built.exe
PID 1652 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 1652 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 5032 wrote to memory of 3012 N/A C:\ProgramData\Built.exe C:\ProgramData\Built.exe
PID 5032 wrote to memory of 3012 N/A C:\ProgramData\Built.exe C:\ProgramData\Built.exe
PID 4404 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 4404 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 4404 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe C:\ProgramData\Fluxus V7.exe
PID 1652 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 1652 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 3012 wrote to memory of 2200 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2200 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 1464 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 1464 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 4596 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 4596 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2248 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2248 N/A C:\ProgramData\Built.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 4068 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Windows\System32\Conhost.exe
PID 2248 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2248 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4596 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4596 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2200 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1464 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 748 wrote to memory of 3920 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 748 wrote to memory of 3920 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 1424 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1424 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\sisk.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4000 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 4000 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
PID 4000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 4000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
PID 3104 wrote to memory of 3972 N/A C:\ProgramData\Cheat.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe
PID 3104 wrote to memory of 3972 N/A C:\ProgramData\Cheat.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe
PID 3104 wrote to memory of 3972 N/A C:\ProgramData\Cheat.exe C:\Users\Admin\AppData\Local\Temp\Windows.exe
PID 3104 wrote to memory of 5080 N/A C:\ProgramData\Cheat.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 5080 N/A C:\ProgramData\Cheat.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 5080 N/A C:\ProgramData\Cheat.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dbug.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

"C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"

C:\Users\Admin\AppData\Local\Temp\sisk.exe

"C:\Users\Admin\AppData\Local\Temp\sisk.exe"

C:\ProgramData\XClient.exe

"C:\ProgramData\XClient.exe"

C:\ProgramData\Cheat.exe

"C:\ProgramData\Cheat.exe"

C:\ProgramData\Built.exe

"C:\ProgramData\Built.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\ProgramData\Fluxus V7.exe

"C:\ProgramData\Fluxus V7.exe"

C:\ProgramData\Built.exe

"C:\ProgramData\Built.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\Windows.exe

"C:\Users\Admin\AppData\Local\Temp\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN ssbobr2.0.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN ssbobr2.0.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

"C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D06.tmp.bat""

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"

C:\Users\Admin\AppData\Local\Temp\sisk.exe

"C:\Users\Admin\AppData\Local\Temp\sisk.exe"

C:\ProgramData\XClient.exe

"C:\ProgramData\XClient.exe"

C:\ProgramData\Cheat.exe

"C:\ProgramData\Cheat.exe"

C:\ProgramData\Built.exe

"C:\ProgramData\Built.exe"

C:\ProgramData\Built.exe

"C:\ProgramData\Built.exe"

C:\ProgramData\Fluxus V7.exe

"C:\ProgramData\Fluxus V7.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\svchost\$77svchost.exe

"C:\Users\Admin\svchost\$77svchost.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\ProgramData\svchоst.exe

C:\ProgramData\svchоst.exe

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 blank-iqpwu.in udp
US 8.8.8.8:53 epsilonbot.xyz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 greater-questionnaire.gl.at.ply.gg udp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 points-detect.gl.at.ply.gg udp
US 147.185.221.18:35608 points-detect.gl.at.ply.gg tcp
US 147.185.221.18:35608 points-detect.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 artist-shared.gl.at.ply.gg udp
US 147.185.221.18:34511 artist-shared.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 blank-1vyhl.in udp
US 8.8.8.8:53 epsilonbot.xyz udp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
N/A 127.0.0.1:35608 tcp
N/A 127.0.0.1:35608 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:34511 tcp
US 8.8.8.8:53 stories-boulevard.gl.at.ply.gg udp
US 147.185.221.18:35608 stories-boulevard.gl.at.ply.gg tcp
N/A 127.0.0.1:34511 tcp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 92.123.128.149:443 www.bing.com tcp
GB 23.214.133.66:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 149.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 66.133.214.23.in-addr.arpa udp
US 147.185.221.18:34511 stories-boulevard.gl.at.ply.gg tcp
N/A 127.0.0.1:35608 tcp
US 147.185.221.17:5562 greater-questionnaire.gl.at.ply.gg tcp
N/A 127.0.0.1:35608 tcp
US 147.185.221.18:35608 stories-boulevard.gl.at.ply.gg tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 147.185.221.18:34511 stories-boulevard.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

MD5 0d45f56a1e55674230062cb964bfcb53
SHA1 ac9864a3471d1002c41bafcd9a3cc09e9bd8da6c
SHA256 b5368ba9a08842c144d2351cb803571523c8d88714df6e94b2ef331474aaaba5
SHA512 29ddbbaf01229914c5070e0996076fe86df0f2b8d103fcb3c829efebf2d14b7627738b7e0eb8e264f502c525cd777feab352914be09f63af974ca208fc3f617f

C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe

MD5 3e39eede68a9c49ca3888c588508a633
SHA1 45bee64962a89b79fa8d0bad81e0935756d7cabd
SHA256 bb3911e1708607bcde7c2893b48b3a0fbc85152646830e8c7c71ee417bb6ee8d
SHA512 5422bf04ca0b92e52b1ac702f6ea2a04d176a9a0f4a2c455ce7bc5e5b0ae8e8d228e4f805f28b767ebd6946a98849dd3330d61c8a99a3b4c3a446cc10b9f57db

memory/4708-117-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/4708-116-0x0000000000520000-0x00000000013AA000-memory.dmp

memory/4708-118-0x000000001BFE0000-0x000000001BFF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 b869e32cdac575ca23d73e7f9f046e6b
SHA1 2bc4ce47bb37e3ffb4faabc1015d2608a8fa96c1
SHA256 4dc95e267ff2a5054ca354035113f16be23c06e374343b6db43b5a084b71b8e3
SHA512 d6913b3460d947043313d65458768d2fb5bb24d38da236ca88a00f61f63829e164681a22c41c3780e25001827a7219eac73b47dc26eed5ad46705c0b079c7e80

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

MD5 fcd1f3fe6975bbba31e0378e4d3fcaa8
SHA1 3c81e56db98c968cac680811bbaea93ee6cbce46
SHA256 2cf3ce6bb37e8ba97d47db3410040cd33880db0a3359603aa5c5f1e36ef4bc86
SHA512 12ad414d814302effdaa0f1dcf3005c7d860890650843fff5483c78a062f66d503b2572e5ddcafdebd6aaa9f3f1ac305072196c2ef4265613bfba310e29a27f8

memory/2076-138-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/2076-139-0x0000000000570000-0x000000000088E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

MD5 3c1cb8ebb27715109dd6eee01987c7b1
SHA1 f80db88bc235703afcf979b8b4a7a27c5b37ecfc
SHA256 b41bae0c8a249ccbf99fcc645d7cfcdb54c6b0860bd3e86146bf9d02c52ecc62
SHA512 39bfd0600d964bae5df034e618aa269ca5b91f07ffcd2171f9f6b4a63bb1fe1a7c7c3c0202294c80ebebc00e9d80f1136b3bc890eb10574f9098881d1c3c4131

memory/1268-145-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/4708-144-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe

MD5 ef8161631ced518c0672b547e4ec0b92
SHA1 149e0c776b2fa6b0acc4c1470149df1db153ea34
SHA256 78fda8a1e4920b9637bdad7688a2d53d6c911f76edfc8ef350f61875e1f33e00
SHA512 32c24e45e35fe62672b2647958ca0db590673f039ff0b7371eee4c0e6542332449f8206a6e4cfa49e71b8765f28885411f12b3372f9684c6d6be7d5d4384fb0e

memory/1268-146-0x0000000000FB0000-0x0000000001B12000-memory.dmp

memory/2076-147-0x000000001B4F0000-0x000000001B500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 dc3ba92c8e7e4a7b4617eb966efaf88b
SHA1 1c8e7fcc547a62cd518e8ff52894e2dbe8985c93
SHA256 8facfbd4843b0f7632e32ea8a72411026de5516afcc41b69e365832126fc2f9c
SHA512 fbf94d58d472c34f011199073e81f9ca32b187b2a47030be106dc637c77ba02c0a122caaa0b3f51ebc7fcce98ec825d0d819e247f551b7923119ec7d0eba8139

C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe

MD5 701df65121e1977fdf160bd9cfb9bb6a
SHA1 5fbbddbad5e0ca509b60134f78188f255bf6b74e
SHA256 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1
SHA512 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607

memory/1652-161-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/936-162-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

memory/2076-163-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/936-164-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/1268-165-0x000000001C810000-0x000000001C820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

MD5 9bec4284b92f40e10621fe0992062517
SHA1 65fac7340f8de38c4f73681a49255ff395ea8489
SHA256 b68534c14820a25576e3b49c6ea6cc3c82461e83e735806b06e372e09468ba2a
SHA512 f322d77d9e7c4aa2a053be14ef866d6081fb384bb03330624d939b84acc05e03170185da7b53bf88cdccaca2bd107d585cf73cf6ac94f5afd6dec3a3c2f7e9a0

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

MD5 ff11b01b0f94e722e1436d217189ca06
SHA1 06c40d6fafda5c79cd541c28b85998a1dba7a8a6
SHA256 78b33c6d31c47f19981e619874ae4ee3531d73c6302dba522fd3ce6dfdb7ea10
SHA512 d14924990fcf1a0935d7965a56b716f9f3c1a982ae6e57743c3da2a65f4b275a96c830f1fa4f241c1fae94ee3c9aadc7d3c3dad533fcce759dd0a93901890be0

C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe

MD5 80837fd8a08f3e6fc8e2c44a942a2e65
SHA1 a3db869f4ebaf273afb3ac46881046934e2a569f
SHA256 a7dd2dba877d70f2a54bcb113dbe2e81f3c3e239524d5f9b4ef11f0d75b63d3e
SHA512 af3b892378002e01170b3bc4a9f612f44b7bc2918d71761289da7ae3a8a179160005f6db4cc193f6c71770bbf165e8e8fe9d3579e232b96e068ccc6f65fed5a2

C:\Users\Admin\AppData\Local\Temp\sisk.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\sisk.exe

MD5 ab1bbb41c6c90c3b6d93a9be5e352995
SHA1 70cd2de832d76014d7f50ee1a16e89fba701b659
SHA256 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45
SHA512 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2

memory/4404-189-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

C:\ProgramData\XClient.exe

MD5 9ecb9d48c8da1e49862a32f5d32e3c9b
SHA1 20902b0b25916dab87b0a373e6fa28ce26feed49
SHA256 fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff
SHA512 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3

C:\ProgramData\Cheat.exe

MD5 a495f7df4cdb2c9febd69c56ff6563bc
SHA1 f95944cab464e1d89b671be7ec345d44e9bf8a03
SHA256 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052
SHA512 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7

memory/1424-192-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/748-210-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/4404-190-0x0000000000FC0000-0x0000000001B2E000-memory.dmp

memory/1424-193-0x00000000004B0000-0x00000000004C8000-memory.dmp

memory/1268-191-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/748-213-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/3104-215-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

memory/3104-216-0x0000000005820000-0x00000000058BC000-memory.dmp

C:\ProgramData\Built.exe

MD5 6013ac4a814cd1a08e89ba92d74fb03e
SHA1 94619fb1b39c480a3b80722037d71e7fb391c766
SHA256 a76d5393064a3a84c7bf3f64f821c0cf7e1c7c459e722d323b59f3de9684bdf6
SHA512 1b68f5ca5d405ea9353d4be10605cb7ff672dba7c3f0f84b6813abe8ed2e3230e03db3f97d24752dc5321823623500ba3e682cc375b73485ebf8765cbdef635a

memory/3104-228-0x0000000005E70000-0x0000000006414000-memory.dmp

C:\ProgramData\Built.exe

MD5 693158dbb0b852f8e47d16702997bcb3
SHA1 56a1a4d37be92436fd3a6a48414ac2e63c66266d
SHA256 eb0ef1992c35cdf01090a14a7ed5bba1448f6470f568f5fb84202caf6bec08c6
SHA512 7b2821d12fe8b2d80fed80cd689166583d3ba10d0eed095f4dd2cefbb2be076697c4a1d496dfe1bd02e4942d16370e7adbfa3a8b350b640f2eea6f4877bec23e

memory/1652-229-0x000000001BB80000-0x000000001BB90000-memory.dmp

memory/3104-227-0x0000000074C30000-0x00000000753E0000-memory.dmp

C:\ProgramData\Fluxus V7.exe

MD5 129676df0c6c34a5e35752dbc5c48e86
SHA1 b4e4523096d59d1ab48bbe92b5d0d74cddba1071
SHA256 5c40be42ec0e603ea412128276fc824158e16356d32297693330cfa57614ec72
SHA512 80e2f514b19e6dda922bd6d61d711a76a37b127937fd4ae60dab585224b481e7b52d4603d5c0532cdffd67543c8ff6c8b2c30e803a021177ea1a82ad7098a219

memory/4068-275-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/4404-277-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/4544-278-0x0000000074C30000-0x00000000753E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ssl.pyd

MD5 936919f3509b2a913bf9e05723bc7cd2
SHA1 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd
SHA256 efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3
SHA512 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

memory/3012-303-0x00007FFA40410000-0x00007FFA4041F000-memory.dmp

memory/4544-304-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/3012-305-0x00007FFA36EC0000-0x00007FFA36EE4000-memory.dmp

memory/4544-307-0x0000000005D20000-0x0000000005DB2000-memory.dmp

memory/3104-306-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_sqlite3.pyd

MD5 c9d6ffa3798bb5ae9f1b082d66901350
SHA1 25724fecf4369447e77283ece810def499318086
SHA256 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec
SHA512 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_socket.pyd

MD5 3ea95c5c76ea27ca44b7a55f6cfdcf53
SHA1 aace156795cfb6f418b6a68a254bb4adfc2afc56
SHA256 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923
SHA512 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_queue.pyd

MD5 8b3ba5fb207d27eb3632486b936396a3
SHA1 5ad45b469041d88ec7fd277d84b1e2093ec7f93e
SHA256 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051
SHA512 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_lzma.pyd

MD5 5eee7d45b8d89c291965a153d86592ee
SHA1 93562dcdb10bd93433c7275d991681b299f45660
SHA256 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9
SHA512 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_bz2.pyd

MD5 341a6188f375c6702de4f9d0e1de8c08
SHA1 204a508ca6a13eb030ed7953595e9b79b9b9ba3b
SHA256 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e
SHA512 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

C:\Users\Admin\AppData\Local\Temp\_MEI50322\sqlite3.dll

MD5 cc9d1869f9305b5a695fc5e76bd57b72
SHA1 c6a28791035e7e10cfae0ab51e9a5a8328ea55c1
SHA256 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee
SHA512 e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

memory/3012-318-0x00007FFA2CBB0000-0x00007FFA2CBD3000-memory.dmp

memory/3484-317-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/3012-319-0x00007FFA272B0000-0x00007FFA27426000-memory.dmp

memory/4544-323-0x000000000A620000-0x000000000A658000-memory.dmp

memory/4544-325-0x000000000A5E0000-0x000000000A5EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

MD5 d4585f9675df894fa2351f3f7a1a504f
SHA1 4f874759b43cfb22f1da1e12b5ea7fccdf74c4b1
SHA256 0c34d34391cb0dc7b113b25e31be0d45ef91708fb702e3974f8b309517904a35
SHA512 73109ccfde9668f6282da333335ef287999ce33fa0d0f1595c7e1bac4eaf4878cdcb728ae40306a7623fb2f435719b56f0a2c9c94a0f5fcce46f97ae4082fe98

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_hashlib.pyd

MD5 6d2132108825afd85763fc3b8f612b11
SHA1 af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0
SHA256 aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52
SHA512 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

memory/4544-333-0x000000000BBF0000-0x000000000C218000-memory.dmp

memory/3012-335-0x000001CFE5490000-0x000001CFE59B2000-memory.dmp

memory/936-337-0x000000001CA70000-0x000000001CA80000-memory.dmp

memory/3012-339-0x00007FFA3AF80000-0x00007FFA3AF99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe

MD5 58c5df5cfc1820f91b41baf966410070
SHA1 20e6ce27ca19688d62a6923e2a26e6d9008cb918
SHA256 dbd1955a8eca3841b55d3d353ec5fded2ebb61ba97fa5709819c3eba5ba12fc1
SHA512 2675698ab6a8f4c0a71814f2092a64ef548206bf9f378035bfbe2ed3fc59e1a9c33373ecceec6aa592551fdd258d22b7917d9afc875802b410041f5884c1fe03

memory/4544-348-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/3012-355-0x00007FFA2C350000-0x00007FFA2C364000-memory.dmp

memory/3012-357-0x00007FFA26A20000-0x00007FFA26B3C000-memory.dmp

memory/3012-356-0x00007FFA3C020000-0x00007FFA3C02D000-memory.dmp

memory/4544-359-0x000000000B8A0000-0x000000000B8D6000-memory.dmp

memory/4136-361-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/4544-360-0x000000000C8A0000-0x000000000CF1A000-memory.dmp

memory/4544-354-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/4544-353-0x0000000006AB0000-0x0000000006ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwsivrct.nqn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3012-342-0x00007FFA36EA0000-0x00007FFA36EB9000-memory.dmp

memory/4068-341-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/3012-338-0x00007FFA2D7F0000-0x00007FFA2D81D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\unicodedata.pyd

MD5 6279c26d085d1b2efd53e9c3e74d0285
SHA1 bd0d274fb9502406b6b9a5756760b78919fa2518
SHA256 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6
SHA512 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

memory/936-362-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/3012-334-0x00007FFA26CB0000-0x00007FFA271D2000-memory.dmp

memory/3012-332-0x00007FFA271E0000-0x00007FFA272AD000-memory.dmp

memory/3012-389-0x00007FFA27430000-0x00007FFA27A1E000-memory.dmp

memory/3012-392-0x00007FFA40410000-0x00007FFA4041F000-memory.dmp

memory/3012-391-0x00007FFA36EC0000-0x00007FFA36EE4000-memory.dmp

memory/3012-395-0x00007FFA2D7F0000-0x00007FFA2D81D000-memory.dmp

memory/3012-397-0x00007FFA3AF80000-0x00007FFA3AF99000-memory.dmp

memory/3012-400-0x00007FFA2CBB0000-0x00007FFA2CBD3000-memory.dmp

memory/3012-401-0x00007FFA272B0000-0x00007FFA27426000-memory.dmp

memory/3012-404-0x00007FFA36EA0000-0x00007FFA36EB9000-memory.dmp

memory/3012-408-0x00007FFA2CB70000-0x00007FFA2CBA3000-memory.dmp

memory/3012-412-0x00007FFA26CB0000-0x00007FFA271D2000-memory.dmp

memory/3012-414-0x00007FFA3C020000-0x00007FFA3C02D000-memory.dmp

memory/3012-415-0x00007FFA26A20000-0x00007FFA26B3C000-memory.dmp

memory/3012-413-0x00007FFA2C350000-0x00007FFA2C364000-memory.dmp

memory/3012-411-0x00007FFA271E0000-0x00007FFA272AD000-memory.dmp

memory/3012-406-0x00007FFA3C050000-0x00007FFA3C05D000-memory.dmp

memory/3012-329-0x00007FFA2CB70000-0x00007FFA2CBA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI50322\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

memory/3012-322-0x00007FFA3C050000-0x00007FFA3C05D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\select.pyd

MD5 2398a631bae547d1d33e91335e6d210b
SHA1 f1f10f901da76323d68a4c9b57f5edfd3baf30f5
SHA256 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435
SHA512 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

memory/4544-314-0x000000000A490000-0x000000000A498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_decimal.pyd

MD5 918e513c376a52a1046c4d4aee87042d
SHA1 d54edc813f56c17700252f487ef978bde1e7f7e1
SHA256 f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29
SHA512 ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

C:\Users\Admin\AppData\Local\Temp\_MEI50322\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI50322\blank.aes

MD5 291948ee8e8927f3a74e829695ff9b43
SHA1 2d28ac4941f4095b8ac4340e4b626af45da15625
SHA256 035ba985560ab044aa1c4c413dc1b5706031a6143cd38606e57b5da145aaac6a
SHA512 924ec1ba39ef26332855871222945b5d5197a7782387175e764558ec410f1f0dab9f8479575e582479e645c3af23d9264141b61846458489e335d308d6024906

C:\Users\Admin\AppData\Local\Temp\_MEI50322\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ctypes.pyd

MD5 ee2d4cd284d6bad4f207195bf5de727f
SHA1 781344a403bbffa0afb080942cd9459d9b05a348
SHA256 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009
SHA512 a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

C:\Users\Admin\AppData\Local\Temp\_MEI50322\base_library.zip

MD5 9d84222015f5e2d8afb5ec74d6808ad0
SHA1 38f7c2439e7829cbd2837be1f8b0380ce5c8e444
SHA256 20adf37360e803029eb7f0a99ec882f277765193f6d4bed683a391c06959581f
SHA512 5939f286d47d8ad459521042781d666ff4f99a7b1e4c5747f32f4b3604abca9171fa777ea6453f2e169a4c62931d960b231894fa8faaae0e531c0f232a30e906

memory/1652-281-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp

memory/3012-280-0x00007FFA27430000-0x00007FFA27A1E000-memory.dmp

memory/4544-276-0x0000000000C80000-0x0000000001074000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50322\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI50322\python311.dll

MD5 76eb1ad615ba6600ce747bf1acde6679
SHA1 d3e1318077217372653be3947635b93df68156a4
SHA256 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA512 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

C:\ProgramData\Fluxus V7.exe

MD5 b4f9cbca656fd34c4dbb1d706a7f1ad3
SHA1 2b95d88a80ccb619b581c420f7435c660cfbb28e
SHA256 1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d
SHA512 5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969

C:\ProgramData\Built.exe

MD5 022c90d2b607ce098df042969f1ff10c
SHA1 ba9e320d766bc4e131c51c115275dc0efe2b8df6
SHA256 60e2391c0b640cbed4d5773ad9d65a54dd07e03afa18d410ef8b08d90a2a3b07
SHA512 84cbcc875dd977d8b319fa68a472bf6ec3b7f923e43ab10fd88102bc02f46180820e427416bb5a95da57302b151703df298b9eb9c37ac93e98da0e181a7a5f31

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BanderaRAT.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Temp\_MEI46202\blank.aes

MD5 fcd2a0afcdd171e5fbb84b4cfaac2bf2
SHA1 227f2b1ccebd278897d83ce8213c8a092828d8e8
SHA256 b9eec542fc7fca3229d8ae9d4f47a7d9dc1543aaaeb5babe5bbe62300955fbc5
SHA512 f8f425cc73c1703415c722b8f327eaf16739e4a83e6f41abbf2e9c8f0fefe29988c7ad903dffa8f988e6fde7695f36b9ad2ef5c0123c73b1bbcc09a8eb84d6b1

memory/400-721-0x00007FFA27230000-0x00007FFA2781E000-memory.dmp

memory/400-723-0x00007FFA2D7F0000-0x00007FFA2D814000-memory.dmp

memory/400-724-0x00007FFA3C020000-0x00007FFA3C02F000-memory.dmp

memory/400-726-0x00007FFA3B880000-0x00007FFA3B8AD000-memory.dmp

memory/400-728-0x00007FFA3B860000-0x00007FFA3B879000-memory.dmp

memory/400-730-0x00007FFA3B6B0000-0x00007FFA3B826000-memory.dmp

memory/400-729-0x00007FFA3B830000-0x00007FFA3B853000-memory.dmp

memory/400-731-0x00007FFA3B690000-0x00007FFA3B6A9000-memory.dmp

memory/400-732-0x00007FFA3BD60000-0x00007FFA3BD6D000-memory.dmp

memory/400-733-0x00007FFA271F0000-0x00007FFA27223000-memory.dmp

memory/400-744-0x00007FFA26CC0000-0x00007FFA271E2000-memory.dmp

memory/400-747-0x00007FFA26A70000-0x00007FFA26B3D000-memory.dmp

memory/400-748-0x00007FFA3B670000-0x00007FFA3B684000-memory.dmp

memory/400-749-0x00007FFA3BB50000-0x00007FFA3BB5D000-memory.dmp

memory/400-751-0x00007FFA25E60000-0x00007FFA25F7C000-memory.dmp