Analysis Overview
SHA256
854e1c26121698ba6b70584de483d601fe52d508195765618cb136d1da56141d
Threat Level: Known bad
The file Dbug.rar was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
njRAT/Bladabindi
Sets file to hidden
UPX packed file
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Modifies registry class
Creates scheduled task(s)
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 20:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 20:28
Reported
2024-03-04 20:31
Platform
win7-20240221-en
Max time kernel
127s
Max time network
154s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
njRAT/Bladabindi
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" | C:\ProgramData\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\Fluxus V7.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dbug.rar"
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
"C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {BC119519-F183-4A91-AE3B-AAB06C15D5F5} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\svchost\$77svchost.exe
"C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1068
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 8.8.8.8:53 | points-detect.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | greater-questionnaire.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | artist-shared.gl.at.ply.gg | udp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | stories-boulevard.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
| MD5 | 3e8b1f158ca26738d0338026b1b78eea |
| SHA1 | e7eb5c431fc856ad91fa3cad2f9a4625a5f3fe54 |
| SHA256 | f16174231d01bfa550623f8a04c8ae2cbe8d0e7122e5546d1d6cfd136ee570a6 |
| SHA512 | f62ab87964429a437f9369d50463ae4401674128a8c88f3798b5c217c36297250c7f94ffa0ce4e84d0242c0c8dc83603caff949cc4124e0bd9df7f5332bb98ea |
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
| MD5 | 6fc7ed50e81321274973ca99b7c1652a |
| SHA1 | 3afb3f7fb67df24115d744d97e75d182c738484e |
| SHA256 | 2b05580bb02270889f49598e71e472737a5e14d5ee68a8460ddc43c337d019ba |
| SHA512 | 729fda274d4fb0692c9d62ce32d4712853878536cce8eed75458509a28ba3d9791a37abddfd03e72494c1d45353b1c104c525130d4e323cf4fc62c581eb756a9 |
memory/1508-140-0x0000000000220000-0x00000000010AA000-memory.dmp
memory/1508-141-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1508-142-0x000000001C1B0000-0x000000001C230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 59142733b84a3cac99f8cc5213feecba |
| SHA1 | d778592509ae3deb22fc926e6178ffbe87b231c3 |
| SHA256 | 21bbdb4d35ebdc7245717babbfefc3461e464ae8572bc00694bddea89dab9d18 |
| SHA512 | 938a81e337d8af75906630df37a957c525c88de837e021025180d23a3ea937ac3b94f4bb3b843b0d0f81c8372e6484188d9b13868b78051e2dd3905b52075b42 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | fb9f49732473d1b51fdfef3fdb5c92aa |
| SHA1 | 12e64609a9bf065d60ceb36f5a21fc3ae9aadbb3 |
| SHA256 | 959f07aa2256586ede8d0df200c2f9e62d4f78045428d0c37151f75341dda6c7 |
| SHA512 | 3411479e9fb89475bb442a62fbd7c62f5a1f49ff1c74b2d92fcfbc2f4cf825c5fb994acb3818c05d0a56be86c61b6f290b14c4c9b87c2a65c4f7c6a3b5ed855b |
memory/2416-151-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2416-148-0x00000000012B0000-0x00000000015CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | 8d6d2bbf937cd6bd3149035a5cc80171 |
| SHA1 | 9d46d8a12868a43802bb5532f50c94f34c92ae4f |
| SHA256 | 78af2bdee2c64692763f5f5bca4f809f03719efb21a43f89fe0dc3322fea2bfd |
| SHA512 | c2cccbb7049ff669bd11e78ca97b57ba8640e61ee86802f8209b10c158d04860eaf649a8843a736d0a886238e6482222abda2cc0fb2fc58b225d140f546c2669 |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | bd0e3897e1485769a046e598cacc18bc |
| SHA1 | 21d4005d7d5415fedabdb9452b51f6bd472da5ed |
| SHA256 | 54db0aae2a0f78b2e4dcb38ab8c1c31d4d007cf94a65f830e1910779e1513699 |
| SHA512 | 6f241061162b15663d845d5e860eb3f5e555d009c516054845e5db031f02d5eb6903527db350889ac0540d162e462c5a7df8689f03282c5c72fb14742db69700 |
memory/1632-155-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1632-156-0x0000000000900000-0x0000000001462000-memory.dmp
memory/1508-157-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1632-158-0x000000001BBD0000-0x000000001BC50000-memory.dmp
memory/2568-169-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1080-168-0x000000013FCD0000-0x000000013FCDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 701df65121e1977fdf160bd9cfb9bb6a |
| SHA1 | 5fbbddbad5e0ca509b60134f78188f255bf6b74e |
| SHA256 | 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1 |
| SHA512 | 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 84e638e4cebeec9fe2df4f33d90423cb |
| SHA1 | 901504b1d19022dd4020b30a73e9623e40142435 |
| SHA256 | 2d876422d551eac5189bdfbea1d01b2a7dcbb4f1cca1963f3330ae5255fca490 |
| SHA512 | 28c09995b8bc5b0357813c056b383a804f41eb9c0af1b32835663e283cb0b1157146a819b32e7992d249f5f4eb94db49ecd598bbfd26efaa80e45eac9275ff08 |
memory/1080-170-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2416-171-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | ab1bbb41c6c90c3b6d93a9be5e352995 |
| SHA1 | 70cd2de832d76014d7f50ee1a16e89fba701b659 |
| SHA256 | 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45 |
| SHA512 | 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2 |
memory/2712-181-0x0000000000C30000-0x0000000000C48000-memory.dmp
memory/2832-180-0x0000000000270000-0x0000000000DDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 174b9cff9c8a30ffd0c9f606de004363 |
| SHA1 | 6360618e3dbe567e466311d54d6ed57abb9cb4b8 |
| SHA256 | 5de5a904047e6f79833f0368401d4ae6029ca302590b648ad2fb4656e5cb33d9 |
| SHA512 | a5887a61f88c1ffa2c83dea799879cd12786364f3208215d2ccdbba48ffbfed67bf009fb5ec886fde61d6e9cb9b3bcfe9852d92cd4f9857d59738aa1690e7bee |
C:\ProgramData\Cheat.exe
| MD5 | a495f7df4cdb2c9febd69c56ff6563bc |
| SHA1 | f95944cab464e1d89b671be7ec345d44e9bf8a03 |
| SHA256 | 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052 |
| SHA512 | 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7 |
memory/1632-188-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2832-195-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2712-198-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | bd7438f4803906c32d1f2501290a1049 |
| SHA1 | 1c5dc4093bed4360e57852e8ac7f7ebf37c61000 |
| SHA256 | e82731dc7bae6b38ac9fb6fcad946c910ab121fc91d4a2eaf1b8feac3e1f847b |
| SHA512 | 42f2eff1f9e64027b5892361f3dc767062f0981b05518b8847c59336c2d67c92a56a47173bc5ebae20739a1865152d964cea7cc0040c4ebe29d5cc80dc8773e8 |
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\Fluxus V7.exe
| MD5 | f27cd6031291f214be6fc4a8176603c6 |
| SHA1 | 23b2b6f423de0f28255e62284b07fdcba22a009a |
| SHA256 | 2a3be9316ed080310f55cea1e730da4b891b3ec7a1dde3705dea587fad55c6f0 |
| SHA512 | 3dce6784c320824bdf6c12c4038a2a6cc538005f8dd123ca36112791962a7088258def1cf82dd8590553ca7c18f1ed33d56cbf8fb463913ff19003114ebcd6c7 |
memory/2832-219-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/832-212-0x0000000000920000-0x0000000000936000-memory.dmp
\ProgramData\Built.exe
| MD5 | 1bc15f450b87869bf0be16eefe81bd01 |
| SHA1 | 46e654a56bfb7c95099bcba8a998ca6da6916575 |
| SHA256 | c0a71bc36c5f9138ba43aa803b3b4fa0255b2cc31f88d84a8ad95fe081167510 |
| SHA512 | 52d947a67be0a4337d825c641bda5a64d7b6945b67d8cbb6477428c0e2c8d17f2c26a8056b8265e2c8db687357d609fb2ab51bdd0bee899fa2abe5566cd4c901 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f28e4f84312c3a8e008d75a15c7a49d9 |
| SHA1 | f9d6d5f6227cbb45ed4846ee1154f9eeb796a8e5 |
| SHA256 | 8fefac5742c0e1671b877f9d851dfba9652ebf9d22c444bf2747f5d7f9d9e916 |
| SHA512 | aa21f098558f32f138a5d74f1a37cc83dfede02f408d7b6b26f79c04780e1a13769882c613d63ea03a98f86594e2437b8a9a11da924a5369b8d9d10c0d704ead |
memory/2104-193-0x00000000012F0000-0x0000000001300000-memory.dmp
C:\ProgramData\XClient.exe
| MD5 | 9ecb9d48c8da1e49862a32f5d32e3c9b |
| SHA1 | 20902b0b25916dab87b0a373e6fa28ce26feed49 |
| SHA256 | fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff |
| SHA512 | 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3 |
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 31ef4957b664bcd6a59f53f053b6bdac |
| SHA1 | 7ddea191f5a3dcfda565dfabdfc47a14c3d585cf |
| SHA256 | 00996da1f8e29616666b7d7be7f00b2594823d01058b5bf8171af976d982bf3e |
| SHA512 | f5d16fbcada0ef21b4ab606154433603802c68fef8d985c913146e8ae9c49e9d76b84e3427f645d4dab59889ea7b3769327ff9cd00cb03d08b463489a562ace7 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 58c5df5cfc1820f91b41baf966410070 |
| SHA1 | 20e6ce27ca19688d62a6923e2a26e6d9008cb918 |
| SHA256 | dbd1955a8eca3841b55d3d353ec5fded2ebb61ba97fa5709819c3eba5ba12fc1 |
| SHA512 | 2675698ab6a8f4c0a71814f2092a64ef548206bf9f378035bfbe2ed3fc59e1a9c33373ecceec6aa592551fdd258d22b7917d9afc875802b410041f5884c1fe03 |
memory/1232-236-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1788-246-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1232-247-0x000000001AF10000-0x000000001AF90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f1c9e1199e9a1bbd9c708f488dd1e747 |
| SHA1 | 32bdd04a7e3a08fd0a2312cecfaf2eb5d2f5c17c |
| SHA256 | 9c75af305c1c0711c420b4c4c35b14d21de9940b9c7360f9b24830a6e0884724 |
| SHA512 | b76b0eceb4c8f11c67df7a2f29434e89220deb88eaee06a909cc356c69d9b34e5a65beefbde75294a90bfb786a43866b169afa8768c774dbc2b853b2506ffab8 |
memory/2104-251-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/756-249-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2568-244-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2108-243-0x0000000000CD0000-0x00000000010C4000-memory.dmp
memory/1080-241-0x0000000000900000-0x0000000000980000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18602\python311.dll
| MD5 | 4eb02581f8a1d4faa3ee1fbc7029f025 |
| SHA1 | 8ed8eaff7c90d61a5b5ae5964de7ff77cbc1c253 |
| SHA256 | 1b3a030f15185e549e28ca03365b622d3931348281cc90b699f19433f21dc4d0 |
| SHA512 | 3562886da464260fe82c0abd6bca9fb868844735a4a884177119fc37bb6ad110a1c69e5aaf3976112fc99ceebf30e137cea6e8560f264131f393581d8c847b43 |
C:\ProgramData\Built.exe
| MD5 | 3c2c83fd308f708efadad3baa1e63a9e |
| SHA1 | 6c4b07299a68a6a167cdb1e0742ae1fc96b437f8 |
| SHA256 | a626a14d20a9a2f855122666ab5240a1c3b448e3e33d55f90fa3a7dea8ef562c |
| SHA512 | 645d3f0903b32e3fbc18a26286b92524cf153c499d544718014fbe3e09467bf3c8ec6ef7e106a41de7722ba6466b9c9eaf99290324f42d6ca61756d8aba901ff |
C:\ProgramData\Fluxus V7.exe
| MD5 | b4f9cbca656fd34c4dbb1d706a7f1ad3 |
| SHA1 | 2b95d88a80ccb619b581c420f7435c660cfbb28e |
| SHA256 | 1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d |
| SHA512 | 5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969 |
memory/832-234-0x0000000074730000-0x0000000074E1E000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI18602\python311.dll
| MD5 | b33897b3b37b892fb4652068a3e09941 |
| SHA1 | 966fee64cccc97e75a0c6116492c907641c2d11b |
| SHA256 | c363ebae0ed6311740a3d20ae875678b0fd8f1b72930da559c9706f9a3d6d190 |
| SHA512 | e73e52ee5924d64c33fe0642b0ca2174ca4ce65d6a12cb43997a33bf4279291f1f25e0ea8203f1884ee6814491b010050ea0f737f88cd855e37218c4f659dcdb |
memory/2804-257-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1788-258-0x000000001BC10000-0x000000001BC90000-memory.dmp
memory/2108-255-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/756-259-0x000000001ABB0000-0x000000001AC30000-memory.dmp
memory/2584-260-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2616-261-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1232-262-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1528-263-0x000007FEF28B0000-0x000007FEF2E9E000-memory.dmp
memory/2616-268-0x000000001B610000-0x000000001B690000-memory.dmp
memory/2804-265-0x00000000021E0000-0x0000000002260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | ac89f261546e4af3ee01ddb559b690c1 |
| SHA1 | c00571745c7cc117b3927f2b2d8019b61363d876 |
| SHA256 | ae991e68547d8e6a7301bf81e152a8c1a64f3a044c5163b1dc610ecbaddee213 |
| SHA512 | 8738226394b3bad1fba8b956e473057112c37523bcb81eaf8de9ed070e55df5725157c1770ba047551e6f53e05755c871de812fa96fd358be3f689d361d5284c |
memory/756-271-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2804-264-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/832-272-0x00000000022D0000-0x0000000002310000-memory.dmp
memory/2520-274-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2848-277-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2584-276-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/832-280-0x00000000022D0000-0x0000000002310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 26fed2d3ce367c6eefa599eecd88c678 |
| SHA1 | 5dea21ebdf813a400cadb4e43a52de8fe2d07117 |
| SHA256 | b9d86dc320a26155acf3a6a13763eb9c8041e66736790e7a53255b6bd35821e6 |
| SHA512 | 1ed6c02ff43914bd829b89a0bc803f5d19b88164e864174144721fe16fdad0cc0dabaa1bb6351f74781327b07c197b28da11a48696cee7b479fb521222b890fe |
memory/832-273-0x00000000022D0000-0x0000000002310000-memory.dmp
memory/2192-288-0x00000000010A0000-0x00000000010B6000-memory.dmp
memory/2520-291-0x0000000000520000-0x00000000005A0000-memory.dmp
memory/2108-290-0x00000000025F0000-0x0000000002630000-memory.dmp
memory/2712-294-0x000000001B020000-0x000000001B0A0000-memory.dmp
memory/2616-295-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2664-302-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1644-305-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b698ebe6b0371dd472ee5cbdc00dd05c |
| SHA1 | cf00b809945010b9cb5b27a8499c2aba419cad9a |
| SHA256 | ace79b94883a25297b718a91eed8e04e495e03a23317e816d82fdc0ef4e0a557 |
| SHA512 | f9b27d8f4d3937e648536a77f590b78ca1ef6f61d57dd591e7cfd669c5c6c7253effede365ed788e26e928ab4f5a9cac1831e34cb6dd50b53da910d8e20f7a80 |
memory/2520-306-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1992-307-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2848-303-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1992-301-0x0000000000E40000-0x0000000000EC0000-memory.dmp
memory/2848-298-0x00000000006B0000-0x0000000000730000-memory.dmp
memory/832-297-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2000-293-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/1992-292-0x000007FEF5620000-0x000007FEF600C000-memory.dmp
memory/2192-289-0x0000000074730000-0x0000000074E1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 8b66a8d32d363d32953dddd62e80ca21 |
| SHA1 | 12ded8178e85560234eeb13e43999f7c7ee43703 |
| SHA256 | 27f82ec5a026b0208cdba8783f02a46ff69610720d99b28dd7c6a2bf470eac66 |
| SHA512 | c651471808582761aefd49217836cfc566ecba130e24fed986bd8f29eb9d200693e136c84d84b92983d9d9d3a73cc433e94afe726706c9e49f9fb39deff083f0 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f2913c0e170710b80e477e80e98ab51f |
| SHA1 | 98e7beb1d5582dc922cd6d87d72fb6b2f2905a7d |
| SHA256 | 011575d41de92fdb3bbbde87b55e04972fdfcc754456f67df9862f3281aa6e9f |
| SHA512 | 6bb3e5adb12d410b093a531544b4c2ba3276c1bb0b93b904d14f395076172b30f3c49e694793a894ae44e25fb5edb82aafa6555703db554a5c80ca28de9557db |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | a36984e4939c4e92eb6706864e509d5c |
| SHA1 | fda70f03c3796c21bd4863c46c65c9799f105688 |
| SHA256 | afd9b8d2336f8281ddbeae0dfb3765544648b9f2e5cc41763b44f0a28a11fbab |
| SHA512 | 7048ee9f9fde3f2995baef2921760eea257483badecd586f7ffdf5d6960b8b63521c1b328d3936d43cb370b0d699b42f0ce972dc613b84c27985ef7e1729e4c1 |
C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp.bat
| MD5 | 974f6e093079aed0879066f3cd2ce100 |
| SHA1 | 5876790f028bcf69a2858a7147c65bc2ef9d08df |
| SHA256 | 585e0ae8b39f92012ca1f23d12b7a3e7d84434c6b402adc780aeaf34ce21244c |
| SHA512 | 09e70f1a01229f738b688e50fb6b21a7d1802ccf309c7307a11d09f15a7de1e35d6f72b5a97209e82ca6d54bc0e0c13da9244a38db55f6aad1eb208f2990571c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUYJFY6DR3WSJYTGR2HV.temp
| MD5 | 5b1a92a47e0904eaca60ac553db43c05 |
| SHA1 | 82e685ceb9ceea3e8ee2136b27b25fdf6c6dd97d |
| SHA256 | bfc10422dba32e3d4a5271ffba7822b77494fcfee367e7ac1ab36ccddebeffc2 |
| SHA512 | fdda1c7c1a7b233afa9a7ded27538371c9c11765cdb882bf45ef66851bd762aeb76171c33cebcd5ec434f84d2fec183d72bf031c6d34ffc31569718e04b003cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5049.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-04 20:28
Reported
2024-03-04 20:31
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
njRAT/Bladabindi
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\ProgramData\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" | C:\ProgramData\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svchost\\$77svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dbug.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
"C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
"C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D06.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\svchost\$77svchost.exe
"C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-iqpwu.in | udp |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | greater-questionnaire.gl.at.ply.gg | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | points-detect.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | artist-shared.gl.at.ply.gg | udp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-1vyhl.in | udp |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| N/A | 127.0.0.1:35608 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 8.8.8.8:53 | stories-boulevard.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 92.123.128.149:443 | www.bing.com | tcp |
| GB | 23.214.133.66:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 149.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.133.214.23.in-addr.arpa | udp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
| MD5 | 0d45f56a1e55674230062cb964bfcb53 |
| SHA1 | ac9864a3471d1002c41bafcd9a3cc09e9bd8da6c |
| SHA256 | b5368ba9a08842c144d2351cb803571523c8d88714df6e94b2ef331474aaaba5 |
| SHA512 | 29ddbbaf01229914c5070e0996076fe86df0f2b8d103fcb3c829efebf2d14b7627738b7e0eb8e264f502c525cd777feab352914be09f63af974ca208fc3f617f |
C:\Users\Admin\Desktop\Dеbug\BandeeraRAT By Donbas.exe
| MD5 | 3e39eede68a9c49ca3888c588508a633 |
| SHA1 | 45bee64962a89b79fa8d0bad81e0935756d7cabd |
| SHA256 | bb3911e1708607bcde7c2893b48b3a0fbc85152646830e8c7c71ee417bb6ee8d |
| SHA512 | 5422bf04ca0b92e52b1ac702f6ea2a04d176a9a0f4a2c455ce7bc5e5b0ae8e8d228e4f805f28b767ebd6946a98849dd3330d61c8a99a3b4c3a446cc10b9f57db |
memory/4708-117-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/4708-116-0x0000000000520000-0x00000000013AA000-memory.dmp
memory/4708-118-0x000000001BFE0000-0x000000001BFF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b869e32cdac575ca23d73e7f9f046e6b |
| SHA1 | 2bc4ce47bb37e3ffb4faabc1015d2608a8fa96c1 |
| SHA256 | 4dc95e267ff2a5054ca354035113f16be23c06e374343b6db43b5a084b71b8e3 |
| SHA512 | d6913b3460d947043313d65458768d2fb5bb24d38da236ca88a00f61f63829e164681a22c41c3780e25001827a7219eac73b47dc26eed5ad46705c0b079c7e80 |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | fcd1f3fe6975bbba31e0378e4d3fcaa8 |
| SHA1 | 3c81e56db98c968cac680811bbaea93ee6cbce46 |
| SHA256 | 2cf3ce6bb37e8ba97d47db3410040cd33880db0a3359603aa5c5f1e36ef4bc86 |
| SHA512 | 12ad414d814302effdaa0f1dcf3005c7d860890650843fff5483c78a062f66d503b2572e5ddcafdebd6aaa9f3f1ac305072196c2ef4265613bfba310e29a27f8 |
memory/2076-138-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/2076-139-0x0000000000570000-0x000000000088E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | 3c1cb8ebb27715109dd6eee01987c7b1 |
| SHA1 | f80db88bc235703afcf979b8b4a7a27c5b37ecfc |
| SHA256 | b41bae0c8a249ccbf99fcc645d7cfcdb54c6b0860bd3e86146bf9d02c52ecc62 |
| SHA512 | 39bfd0600d964bae5df034e618aa269ca5b91f07ffcd2171f9f6b4a63bb1fe1a7c7c3c0202294c80ebebc00e9d80f1136b3bc890eb10574f9098881d1c3c4131 |
memory/1268-145-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/4708-144-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | ef8161631ced518c0672b547e4ec0b92 |
| SHA1 | 149e0c776b2fa6b0acc4c1470149df1db153ea34 |
| SHA256 | 78fda8a1e4920b9637bdad7688a2d53d6c911f76edfc8ef350f61875e1f33e00 |
| SHA512 | 32c24e45e35fe62672b2647958ca0db590673f039ff0b7371eee4c0e6542332449f8206a6e4cfa49e71b8765f28885411f12b3372f9684c6d6be7d5d4384fb0e |
memory/1268-146-0x0000000000FB0000-0x0000000001B12000-memory.dmp
memory/2076-147-0x000000001B4F0000-0x000000001B500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | dc3ba92c8e7e4a7b4617eb966efaf88b |
| SHA1 | 1c8e7fcc547a62cd518e8ff52894e2dbe8985c93 |
| SHA256 | 8facfbd4843b0f7632e32ea8a72411026de5516afcc41b69e365832126fc2f9c |
| SHA512 | fbf94d58d472c34f011199073e81f9ca32b187b2a47030be106dc637c77ba02c0a122caaa0b3f51ebc7fcce98ec825d0d819e247f551b7923119ec7d0eba8139 |
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 701df65121e1977fdf160bd9cfb9bb6a |
| SHA1 | 5fbbddbad5e0ca509b60134f78188f255bf6b74e |
| SHA256 | 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1 |
| SHA512 | 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607 |
memory/1652-161-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/936-162-0x0000000000DB0000-0x0000000000DBE000-memory.dmp
memory/2076-163-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/936-164-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/1268-165-0x000000001C810000-0x000000001C820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 9bec4284b92f40e10621fe0992062517 |
| SHA1 | 65fac7340f8de38c4f73681a49255ff395ea8489 |
| SHA256 | b68534c14820a25576e3b49c6ea6cc3c82461e83e735806b06e372e09468ba2a |
| SHA512 | f322d77d9e7c4aa2a053be14ef866d6081fb384bb03330624d939b84acc05e03170185da7b53bf88cdccaca2bd107d585cf73cf6ac94f5afd6dec3a3c2f7e9a0 |
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | ff11b01b0f94e722e1436d217189ca06 |
| SHA1 | 06c40d6fafda5c79cd541c28b85998a1dba7a8a6 |
| SHA256 | 78b33c6d31c47f19981e619874ae4ee3531d73c6302dba522fd3ce6dfdb7ea10 |
| SHA512 | d14924990fcf1a0935d7965a56b716f9f3c1a982ae6e57743c3da2a65f4b275a96c830f1fa4f241c1fae94ee3c9aadc7d3c3dad533fcce759dd0a93901890be0 |
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 80837fd8a08f3e6fc8e2c44a942a2e65 |
| SHA1 | a3db869f4ebaf273afb3ac46881046934e2a569f |
| SHA256 | a7dd2dba877d70f2a54bcb113dbe2e81f3c3e239524d5f9b4ef11f0d75b63d3e |
| SHA512 | af3b892378002e01170b3bc4a9f612f44b7bc2918d71761289da7ae3a8a179160005f6db4cc193f6c71770bbf165e8e8fe9d3579e232b96e068ccc6f65fed5a2 |
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | ab1bbb41c6c90c3b6d93a9be5e352995 |
| SHA1 | 70cd2de832d76014d7f50ee1a16e89fba701b659 |
| SHA256 | 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45 |
| SHA512 | 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2 |
memory/4404-189-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
C:\ProgramData\XClient.exe
| MD5 | 9ecb9d48c8da1e49862a32f5d32e3c9b |
| SHA1 | 20902b0b25916dab87b0a373e6fa28ce26feed49 |
| SHA256 | fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff |
| SHA512 | 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3 |
C:\ProgramData\Cheat.exe
| MD5 | a495f7df4cdb2c9febd69c56ff6563bc |
| SHA1 | f95944cab464e1d89b671be7ec345d44e9bf8a03 |
| SHA256 | 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052 |
| SHA512 | 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7 |
memory/1424-192-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/748-210-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/4404-190-0x0000000000FC0000-0x0000000001B2E000-memory.dmp
memory/1424-193-0x00000000004B0000-0x00000000004C8000-memory.dmp
memory/1268-191-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/748-213-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/3104-215-0x0000000000EB0000-0x0000000000EC6000-memory.dmp
memory/3104-216-0x0000000005820000-0x00000000058BC000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | 6013ac4a814cd1a08e89ba92d74fb03e |
| SHA1 | 94619fb1b39c480a3b80722037d71e7fb391c766 |
| SHA256 | a76d5393064a3a84c7bf3f64f821c0cf7e1c7c459e722d323b59f3de9684bdf6 |
| SHA512 | 1b68f5ca5d405ea9353d4be10605cb7ff672dba7c3f0f84b6813abe8ed2e3230e03db3f97d24752dc5321823623500ba3e682cc375b73485ebf8765cbdef635a |
memory/3104-228-0x0000000005E70000-0x0000000006414000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | 693158dbb0b852f8e47d16702997bcb3 |
| SHA1 | 56a1a4d37be92436fd3a6a48414ac2e63c66266d |
| SHA256 | eb0ef1992c35cdf01090a14a7ed5bba1448f6470f568f5fb84202caf6bec08c6 |
| SHA512 | 7b2821d12fe8b2d80fed80cd689166583d3ba10d0eed095f4dd2cefbb2be076697c4a1d496dfe1bd02e4942d16370e7adbfa3a8b350b640f2eea6f4877bec23e |
memory/1652-229-0x000000001BB80000-0x000000001BB90000-memory.dmp
memory/3104-227-0x0000000074C30000-0x00000000753E0000-memory.dmp
C:\ProgramData\Fluxus V7.exe
| MD5 | 129676df0c6c34a5e35752dbc5c48e86 |
| SHA1 | b4e4523096d59d1ab48bbe92b5d0d74cddba1071 |
| SHA256 | 5c40be42ec0e603ea412128276fc824158e16356d32297693330cfa57614ec72 |
| SHA512 | 80e2f514b19e6dda922bd6d61d711a76a37b127937fd4ae60dab585224b481e7b52d4603d5c0532cdffd67543c8ff6c8b2c30e803a021177ea1a82ad7098a219 |
memory/4068-275-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/4404-277-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/4544-278-0x0000000074C30000-0x00000000753E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ssl.pyd
| MD5 | 936919f3509b2a913bf9e05723bc7cd2 |
| SHA1 | 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd |
| SHA256 | efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3 |
| SHA512 | 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3 |
memory/3012-303-0x00007FFA40410000-0x00007FFA4041F000-memory.dmp
memory/4544-304-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/3012-305-0x00007FFA36EC0000-0x00007FFA36EE4000-memory.dmp
memory/4544-307-0x0000000005D20000-0x0000000005DB2000-memory.dmp
memory/3104-306-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_sqlite3.pyd
| MD5 | c9d6ffa3798bb5ae9f1b082d66901350 |
| SHA1 | 25724fecf4369447e77283ece810def499318086 |
| SHA256 | 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec |
| SHA512 | 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_socket.pyd
| MD5 | 3ea95c5c76ea27ca44b7a55f6cfdcf53 |
| SHA1 | aace156795cfb6f418b6a68a254bb4adfc2afc56 |
| SHA256 | 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923 |
| SHA512 | 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_queue.pyd
| MD5 | 8b3ba5fb207d27eb3632486b936396a3 |
| SHA1 | 5ad45b469041d88ec7fd277d84b1e2093ec7f93e |
| SHA256 | 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051 |
| SHA512 | 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_lzma.pyd
| MD5 | 5eee7d45b8d89c291965a153d86592ee |
| SHA1 | 93562dcdb10bd93433c7275d991681b299f45660 |
| SHA256 | 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9 |
| SHA512 | 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_bz2.pyd
| MD5 | 341a6188f375c6702de4f9d0e1de8c08 |
| SHA1 | 204a508ca6a13eb030ed7953595e9b79b9b9ba3b |
| SHA256 | 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e |
| SHA512 | 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\sqlite3.dll
| MD5 | cc9d1869f9305b5a695fc5e76bd57b72 |
| SHA1 | c6a28791035e7e10cfae0ab51e9a5a8328ea55c1 |
| SHA256 | 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee |
| SHA512 | e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1 |
memory/3012-318-0x00007FFA2CBB0000-0x00007FFA2CBD3000-memory.dmp
memory/3484-317-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/3012-319-0x00007FFA272B0000-0x00007FFA27426000-memory.dmp
memory/4544-323-0x000000000A620000-0x000000000A658000-memory.dmp
memory/4544-325-0x000000000A5E0000-0x000000000A5EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll
| MD5 | d4585f9675df894fa2351f3f7a1a504f |
| SHA1 | 4f874759b43cfb22f1da1e12b5ea7fccdf74c4b1 |
| SHA256 | 0c34d34391cb0dc7b113b25e31be0d45ef91708fb702e3974f8b309517904a35 |
| SHA512 | 73109ccfde9668f6282da333335ef287999ce33fa0d0f1595c7e1bac4eaf4878cdcb728ae40306a7623fb2f435719b56f0a2c9c94a0f5fcce46f97ae4082fe98 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_hashlib.pyd
| MD5 | 6d2132108825afd85763fc3b8f612b11 |
| SHA1 | af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0 |
| SHA256 | aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52 |
| SHA512 | 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0 |
memory/4544-333-0x000000000BBF0000-0x000000000C218000-memory.dmp
memory/3012-335-0x000001CFE5490000-0x000001CFE59B2000-memory.dmp
memory/936-337-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/3012-339-0x00007FFA3AF80000-0x00007FFA3AF99000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 58c5df5cfc1820f91b41baf966410070 |
| SHA1 | 20e6ce27ca19688d62a6923e2a26e6d9008cb918 |
| SHA256 | dbd1955a8eca3841b55d3d353ec5fded2ebb61ba97fa5709819c3eba5ba12fc1 |
| SHA512 | 2675698ab6a8f4c0a71814f2092a64ef548206bf9f378035bfbe2ed3fc59e1a9c33373ecceec6aa592551fdd258d22b7917d9afc875802b410041f5884c1fe03 |
memory/4544-348-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/3012-355-0x00007FFA2C350000-0x00007FFA2C364000-memory.dmp
memory/3012-357-0x00007FFA26A20000-0x00007FFA26B3C000-memory.dmp
memory/3012-356-0x00007FFA3C020000-0x00007FFA3C02D000-memory.dmp
memory/4544-359-0x000000000B8A0000-0x000000000B8D6000-memory.dmp
memory/4136-361-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/4544-360-0x000000000C8A0000-0x000000000CF1A000-memory.dmp
memory/4544-354-0x00000000058E0000-0x00000000058F0000-memory.dmp
memory/4544-353-0x0000000006AB0000-0x0000000006ACA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwsivrct.nqn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3012-342-0x00007FFA36EA0000-0x00007FFA36EB9000-memory.dmp
memory/4068-341-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/3012-338-0x00007FFA2D7F0000-0x00007FFA2D81D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\unicodedata.pyd
| MD5 | 6279c26d085d1b2efd53e9c3e74d0285 |
| SHA1 | bd0d274fb9502406b6b9a5756760b78919fa2518 |
| SHA256 | 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6 |
| SHA512 | 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9 |
memory/936-362-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/3012-334-0x00007FFA26CB0000-0x00007FFA271D2000-memory.dmp
memory/3012-332-0x00007FFA271E0000-0x00007FFA272AD000-memory.dmp
memory/3012-389-0x00007FFA27430000-0x00007FFA27A1E000-memory.dmp
memory/3012-392-0x00007FFA40410000-0x00007FFA4041F000-memory.dmp
memory/3012-391-0x00007FFA36EC0000-0x00007FFA36EE4000-memory.dmp
memory/3012-395-0x00007FFA2D7F0000-0x00007FFA2D81D000-memory.dmp
memory/3012-397-0x00007FFA3AF80000-0x00007FFA3AF99000-memory.dmp
memory/3012-400-0x00007FFA2CBB0000-0x00007FFA2CBD3000-memory.dmp
memory/3012-401-0x00007FFA272B0000-0x00007FFA27426000-memory.dmp
memory/3012-404-0x00007FFA36EA0000-0x00007FFA36EB9000-memory.dmp
memory/3012-408-0x00007FFA2CB70000-0x00007FFA2CBA3000-memory.dmp
memory/3012-412-0x00007FFA26CB0000-0x00007FFA271D2000-memory.dmp
memory/3012-414-0x00007FFA3C020000-0x00007FFA3C02D000-memory.dmp
memory/3012-415-0x00007FFA26A20000-0x00007FFA26B3C000-memory.dmp
memory/3012-413-0x00007FFA2C350000-0x00007FFA2C364000-memory.dmp
memory/3012-411-0x00007FFA271E0000-0x00007FFA272AD000-memory.dmp
memory/3012-406-0x00007FFA3C050000-0x00007FFA3C05D000-memory.dmp
memory/3012-329-0x00007FFA2CB70000-0x00007FFA2CBA3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll
| MD5 | 27515b5bb912701abb4dfad186b1da1f |
| SHA1 | 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411 |
| SHA256 | fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a |
| SHA512 | 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libssl-3.dll
| MD5 | 6eda5a055b164e5e798429dcd94f5b88 |
| SHA1 | 2c5494379d1efe6b0a101801e09f10a7cb82dbe9 |
| SHA256 | 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8 |
| SHA512 | 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e |
memory/3012-322-0x00007FFA3C050000-0x00007FFA3C05D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\select.pyd
| MD5 | 2398a631bae547d1d33e91335e6d210b |
| SHA1 | f1f10f901da76323d68a4c9b57f5edfd3baf30f5 |
| SHA256 | 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435 |
| SHA512 | 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21 |
memory/4544-314-0x000000000A490000-0x000000000A498000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_decimal.pyd
| MD5 | 918e513c376a52a1046c4d4aee87042d |
| SHA1 | d54edc813f56c17700252f487ef978bde1e7f7e1 |
| SHA256 | f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29 |
| SHA512 | ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\blank.aes
| MD5 | 291948ee8e8927f3a74e829695ff9b43 |
| SHA1 | 2d28ac4941f4095b8ac4340e4b626af45da15625 |
| SHA256 | 035ba985560ab044aa1c4c413dc1b5706031a6143cd38606e57b5da145aaac6a |
| SHA512 | 924ec1ba39ef26332855871222945b5d5197a7782387175e764558ec410f1f0dab9f8479575e582479e645c3af23d9264141b61846458489e335d308d6024906 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ctypes.pyd
| MD5 | ee2d4cd284d6bad4f207195bf5de727f |
| SHA1 | 781344a403bbffa0afb080942cd9459d9b05a348 |
| SHA256 | 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009 |
| SHA512 | a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\base_library.zip
| MD5 | 9d84222015f5e2d8afb5ec74d6808ad0 |
| SHA1 | 38f7c2439e7829cbd2837be1f8b0380ce5c8e444 |
| SHA256 | 20adf37360e803029eb7f0a99ec882f277765193f6d4bed683a391c06959581f |
| SHA512 | 5939f286d47d8ad459521042781d666ff4f99a7b1e4c5747f32f4b3604abca9171fa777ea6453f2e169a4c62931d960b231894fa8faaae0e531c0f232a30e906 |
memory/1652-281-0x00007FFA2AB60000-0x00007FFA2B621000-memory.dmp
memory/3012-280-0x00007FFA27430000-0x00007FFA27A1E000-memory.dmp
memory/4544-276-0x0000000000C80000-0x0000000001074000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50322\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI50322\python311.dll
| MD5 | 76eb1ad615ba6600ce747bf1acde6679 |
| SHA1 | d3e1318077217372653be3947635b93df68156a4 |
| SHA256 | 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1 |
| SHA512 | 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb |
C:\ProgramData\Fluxus V7.exe
| MD5 | b4f9cbca656fd34c4dbb1d706a7f1ad3 |
| SHA1 | 2b95d88a80ccb619b581c420f7435c660cfbb28e |
| SHA256 | 1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d |
| SHA512 | 5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969 |
C:\ProgramData\Built.exe
| MD5 | 022c90d2b607ce098df042969f1ff10c |
| SHA1 | ba9e320d766bc4e131c51c115275dc0efe2b8df6 |
| SHA256 | 60e2391c0b640cbed4d5773ad9d65a54dd07e03afa18d410ef8b08d90a2a3b07 |
| SHA512 | 84cbcc875dd977d8b319fa68a472bf6ec3b7f923e43ab10fd88102bc02f46180820e427416bb5a95da57302b151703df298b9eb9c37ac93e98da0e181a7a5f31 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BanderaRAT.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Temp\_MEI46202\blank.aes
| MD5 | fcd2a0afcdd171e5fbb84b4cfaac2bf2 |
| SHA1 | 227f2b1ccebd278897d83ce8213c8a092828d8e8 |
| SHA256 | b9eec542fc7fca3229d8ae9d4f47a7d9dc1543aaaeb5babe5bbe62300955fbc5 |
| SHA512 | f8f425cc73c1703415c722b8f327eaf16739e4a83e6f41abbf2e9c8f0fefe29988c7ad903dffa8f988e6fde7695f36b9ad2ef5c0123c73b1bbcc09a8eb84d6b1 |
memory/400-721-0x00007FFA27230000-0x00007FFA2781E000-memory.dmp
memory/400-723-0x00007FFA2D7F0000-0x00007FFA2D814000-memory.dmp
memory/400-724-0x00007FFA3C020000-0x00007FFA3C02F000-memory.dmp
memory/400-726-0x00007FFA3B880000-0x00007FFA3B8AD000-memory.dmp
memory/400-728-0x00007FFA3B860000-0x00007FFA3B879000-memory.dmp
memory/400-730-0x00007FFA3B6B0000-0x00007FFA3B826000-memory.dmp
memory/400-729-0x00007FFA3B830000-0x00007FFA3B853000-memory.dmp
memory/400-731-0x00007FFA3B690000-0x00007FFA3B6A9000-memory.dmp
memory/400-732-0x00007FFA3BD60000-0x00007FFA3BD6D000-memory.dmp
memory/400-733-0x00007FFA271F0000-0x00007FFA27223000-memory.dmp
memory/400-744-0x00007FFA26CC0000-0x00007FFA271E2000-memory.dmp
memory/400-747-0x00007FFA26A70000-0x00007FFA26B3D000-memory.dmp
memory/400-748-0x00007FFA3B670000-0x00007FFA3B684000-memory.dmp
memory/400-749-0x00007FFA3BB50000-0x00007FFA3BB5D000-memory.dmp
memory/400-751-0x00007FFA25E60000-0x00007FFA25F7C000-memory.dmp