Analysis Overview
SHA256
854e1c26121698ba6b70584de483d601fe52d508195765618cb136d1da56141d
Threat Level: Known bad
The file Dbug.rar was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Xworm
Detect Xworm Payload
Sets file to hidden
Drops startup file
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies registry class
Enumerates processes with tasklist
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240221-en
Max time kernel
113s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
njRAT/Bladabindi
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" | C:\ProgramData\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svchost\\$77svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\Fluxus V7.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dbug.rar"
C:\Users\Admin\AppData\Local\Temp\7zO07A96386\BandeeraRAT By Donbas.exe
"C:\Users\Admin\AppData\Local\Temp\7zO07A96386\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1076
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp72FE.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\svchost\$77svchost.exe
"C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {15E774AD-B623-44C0-B163-E2EDFC72FB8E} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | greater-questionnaire.gl.at.ply.gg | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | points-detect.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | artist-shared.gl.at.ply.gg | udp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | stories-boulevard.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO07A96386\BandeeraRAT By Donbas.exe
| MD5 | 0b4f44f1ce00a6167e1eb5b4a7067946 |
| SHA1 | f15db43ec72d0aeaeedfb4a484a60556584a2781 |
| SHA256 | ca344ee75f8bb0569fc1c38fd57e573a7d935ee03b96619bad69839dd441ef77 |
| SHA512 | d00db30966399b32392a743553ae828bf8ce3d27e8bf9653c6fc1c280cf8f8bdfa624b04f7a5891fa89cea4955deec6b9407c310d7b3df322e41d31bd261373f |
C:\Users\Admin\AppData\Local\Temp\7zO07A96386\BandeeraRAT By Donbas.exe
| MD5 | 21eba0d4f568db5690f6d14c57c7c811 |
| SHA1 | 068f105cacf38aa4aa582c36a682650742136d5d |
| SHA256 | e794475b19ecf1dde3795a79b9009a626e1194f7af8d0a8595d68b4d54f66cab |
| SHA512 | 07ce4fe9587155e6ebfe76b79bb938d63709cb43617f0d99445ae43b767f8d9a95bf9d4498bb06c6622cd63142a3c7b452531d8d02459f6f9c70438c71674de2 |
C:\Users\Admin\AppData\Local\Temp\7zO07A96386\BandeeraRAT By Donbas.exe
| MD5 | 0f396d50a74480ff688009f72ee5df45 |
| SHA1 | cf6c7c6fc53db53c6b1c67f770a34d0544e9038e |
| SHA256 | b54044acf79b00b13cf9edd17851a5b6852c698a3071405c36b8df9c933479e3 |
| SHA512 | c84c9084fbe6eef5b7854d8dede64831536dce960876deea12847ea13d4ffd2cef8a99ec6d7005785afc57f1749ee5790d845735daba1d49e74da0604df721d6 |
memory/2792-35-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2792-36-0x0000000000B10000-0x000000000199A000-memory.dmp
memory/2792-37-0x000000001C000000-0x000000001C080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f4590b3f0ba0febc1eaad2387a7e4447 |
| SHA1 | 22101047458aa067b96ebe9737c188eac797a54a |
| SHA256 | 42126d328c5ddf7bb8bc8901132d0d55c766fb287a013d1580ee1368e65e77bc |
| SHA512 | 7ed22452a910dd15195cc58fa4cecc820218f439688864422f94b6dd1cbf7f8f9dcf54e032f08e15fbe9ed94044bf19867ecfd443b328212f8b5ced1f493f4df |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 1fb5a69584cad68888b01ca0e6992c1a |
| SHA1 | 28052d085f5e6766abe5a7ffa2ed4d784abbd890 |
| SHA256 | a2fd6e55b72baa711139d069c5d28e185557b80e06835acb68e287a7b0f3c4a9 |
| SHA512 | c5344b9056f1506789fcff569c2df2345f984589db88ca487d524458912811be2671bfbb213673c51f0a55ec55879d8feb8de7fdf676e230530d6ad29bba9f1f |
memory/2380-45-0x0000000000F90000-0x00000000012AE000-memory.dmp
memory/2380-46-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | 23738b5d0f55854c4127b078ecbbd674 |
| SHA1 | b8a3ce8ddbb1c15b3bce5623ee70e456842ff3b6 |
| SHA256 | d01a6f80498e0ecb2ef03a029a9bdc49d11ffb31596fcf44be5b73c9838b907d |
| SHA512 | 3c6a18e9662c1faaa19f922ea75398a8e59f0dd6cca3801c012f521913604696ba455f0877e1daf51b2eba71e4273fc41f62cd71e4d0305c318620a85bbb4580 |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | 57315a34d6c8a1adda61519f0d81e458 |
| SHA1 | b773e466c83398662a3449fc1da7e2cb66df2d75 |
| SHA256 | 4c024ba0443731b8c1ad2664bd775d583d8099067a7c122cfa6a8dfc552e1796 |
| SHA512 | 356f898dce114cb42d2e5d6d7c723cf774fe5e4cb924b560997434a4e5bdfcddde6007f9b76702ae0deb53dcad1acf7e14d4b7572d0c5119367bce316f692f61 |
memory/2800-51-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2800-50-0x0000000000960000-0x00000000014C2000-memory.dmp
memory/2792-52-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | fbe926ad4e71082fe8cfc7fb8b485ef9 |
| SHA1 | 8bea1a3fbd7bd89b590268b26334f187300fc783 |
| SHA256 | 61a76c13e2793d3ad921b3749b9f32177d230535cc62b018c50c470ea953d6d1 |
| SHA512 | 730d315fbc15aca6fdfa4a04a327aa6997228d18e4e8fda241522292fbfa132900901477eef79fb241b3f9fb6ead42be3d5fc38d7dba5c0fec7b5d5df01ebc75 |
\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 701df65121e1977fdf160bd9cfb9bb6a |
| SHA1 | 5fbbddbad5e0ca509b60134f78188f255bf6b74e |
| SHA256 | 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1 |
| SHA512 | 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607 |
memory/2800-62-0x000000001BF80000-0x000000001C000000-memory.dmp
memory/2628-61-0x000000013F710000-0x000000013F71E000-memory.dmp
memory/2116-58-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2628-65-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 56e43170f629940de795859e3ae391a6 |
| SHA1 | 24a5f2a26c36561613078418775ef0ba80ffd6bb |
| SHA256 | ccd039fd66c4c64fffba545e7d984f6ac3e938aa7e3db00f1d48267ae61c949b |
| SHA512 | ee1db032b17ee989d651f8ffe85aba2b243a414d8ea06a275551ddf1ba478858d7d5ec7e4f425d8f46a7975b64808279b58b04026802cd117979a78bad81d7b8 |
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | ab1bbb41c6c90c3b6d93a9be5e352995 |
| SHA1 | 70cd2de832d76014d7f50ee1a16e89fba701b659 |
| SHA256 | 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45 |
| SHA512 | 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2 |
memory/2496-75-0x0000000000380000-0x0000000000398000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | 0cb39dbb9de0d51782f79ad370fdbc6c |
| SHA1 | 9791a07a2671bc139c91fe359767b9385782ce2c |
| SHA256 | 24efd7c23130977b56d239b08b44fa66fb3d2c61b91dbe8e209198a6de52fa56 |
| SHA512 | 7001088398ad3599f1867da1384c2dc5ad2021771e153b6d33ba2cddbd1fbe99fc5426afdc8f025d30e8c0f5f61f37efe8213a54c438aeaf4e7612f90370703d |
memory/2724-76-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2380-69-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2496-77-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 031a1b0b5f10867d8d340ba1aa5b7cac |
| SHA1 | 6a4d487c68f806319b8d01df55dd71a072b21b41 |
| SHA256 | 6caaa846e09114f9d4a94a58818ac97b5285b6dba258296b4da6e01dfdece8ec |
| SHA512 | 4f514ccbc5e5b7932260ac0e828662b6d14e11f1c660624d476e79b65b62b9a793b5d421faa8a244eab65516bcc68a453a30d70a7b5e01e3f344ef988ff0f29a |
memory/2800-79-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2724-78-0x0000000000E30000-0x000000000199E000-memory.dmp
C:\ProgramData\XClient.exe
| MD5 | 9ecb9d48c8da1e49862a32f5d32e3c9b |
| SHA1 | 20902b0b25916dab87b0a373e6fa28ce26feed49 |
| SHA256 | fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff |
| SHA512 | 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3 |
C:\ProgramData\Cheat.exe
| MD5 | a495f7df4cdb2c9febd69c56ff6563bc |
| SHA1 | f95944cab464e1d89b671be7ec345d44e9bf8a03 |
| SHA256 | 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052 |
| SHA512 | 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7 |
memory/2788-91-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2788-92-0x00000000010B0000-0x00000000010C0000-memory.dmp
\ProgramData\Built.exe
| MD5 | 21f608ca5d177b50dcca9e2d73ed6806 |
| SHA1 | fdbd7cd8d26c8da56be90202641bcc3f62afb64f |
| SHA256 | 6e84b10079c007355ab4ef0a0829c4e0504e580b2978673057a91cbf47a9330f |
| SHA512 | 691de4868dd318549036c4c5fe1c5177487108d1d1fa502853f4b3d57eefc1f0b9a39964ff00866581670141b980a1bbc1474ea3b98568a1287cf4e24025afe6 |
memory/1508-100-0x0000000000290000-0x00000000002A6000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | 8d97153b89dee5bb7aede02718b977ae |
| SHA1 | 25170cbc698b0d343228f283068b4cb9e831db02 |
| SHA256 | 53b91e9595ef944ae61c5bede34218a3b8c926710a703182cda7ffddc3b444e2 |
| SHA512 | 4c0a17c706c219eccaeb17e143e29927572c0ff54365883b62fe626c3b1cb7d916afa3d6cbd134cac0590ff0b5f8d69ff1dd4bb72a8fccf8d177e9e0fd9cc562 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 44acc55c4a0365db7413aa596eb298df |
| SHA1 | e55ce51b8af05c16d4a914e6a68e4278b8c06ef4 |
| SHA256 | bd4d043c050dc89ce6c9ebab89253a60a39a91c4a58fb0ef9cd56e8120fccd1f |
| SHA512 | 3b147460f1772cfec3c9600c2b6b6928d4462e576548445202f302ffb90861bac352bd9dcd99b9de5350500964e64e57f943a118ac4b75a8a6ecab15af749811 |
memory/2116-110-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\ProgramData\Fluxus V7.exe
| MD5 | 78507b570cbaba27852311eb3ec9beb3 |
| SHA1 | 25445ca283d004f1e7a3e60dceb25688c136acff |
| SHA256 | 4b891268f6da97849390d9e86b4bcc686a5100a18b5cd2e602d5edd397525467 |
| SHA512 | 39eecf71e5fc023318ba6d0c4d7d2c87a069f9ceb9a332a5b402e46243451e62419c02c9d87869b009b8ac3943cd1f5092c461dbf7925250f0c8328a120f7e37 |
C:\ProgramData\Built.exe
| MD5 | 882954825841c0e15c97e7bf5a4cd131 |
| SHA1 | 1956b37e217012bd579e948f8cad6c725035f8e3 |
| SHA256 | 9ebed151c8e7effa5cb6991482f25ae194c16e7869c650e0c4cfa124e1a79605 |
| SHA512 | a9db230dd4baec613b45e88aa77bd1477607176dd9739092d63801c7305e46a3211a98b2b59ab2c4d40321e29d876701edbe01bfd5538348f1ef0e87f875715f |
memory/2724-132-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI19962\python311.dll
| MD5 | 74b1b2d9b3d36a3b0c78f44f1f7be9cd |
| SHA1 | b0740b652169bcd176a7d18ab247374c0f6ddeea |
| SHA256 | c03cf0d6caf55c912635215c616982e0147e88da722a210a53cece356a9298c6 |
| SHA512 | 038b03f2b1de31c5f63990412d84a2c5d690c0fc724911c397d6c38029b83719f376906148f8ea503641741c6427605b0e6f16fef86b0c6a1ea176c4ce134ee0 |
C:\ProgramData\Fluxus V7.exe
| MD5 | 50505365fd7feb5d3699cfb74d30bfc6 |
| SHA1 | 473e38b2d3dd3c04b96d144cfcaf17f063ec7227 |
| SHA256 | 8034fe2c00b99ebb50d6eeea28f209bc96a04a14585a279c02fb8200f357f612 |
| SHA512 | 862d3a98d3234e21b045a9c01c6ea01a16ff0fe9dd65b92d80997d2dd28bf64d8ff01e733f31e5ffc11f70f420e0117220dc586c22335a05229181608213641b |
C:\ProgramData\Built.exe
| MD5 | ce74ae7ac31fe14b7725e46dc3dae1c8 |
| SHA1 | 13646d742b2412eefc371216a538055a69a84f35 |
| SHA256 | de8daad2a6e4324aa4a66e22d4794080a795788bccc7ad464aab3d5554f4a0a8 |
| SHA512 | 04ad8b6ab3bec6c1f936cbe603abc6e1ebc15435b13641861ef5a55f2311a270819bd6bbbc6cc9e71f10d673d5ab6f4d8517463a55a09287e252ad71e7e654c9 |
memory/820-134-0x0000000000960000-0x0000000000D54000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19962\python311.dll
| MD5 | e83adef934d448d3e9b4b499380ba417 |
| SHA1 | b1c6cdd1a768bfe3f86e8389782ae7412874566f |
| SHA256 | 186b0e0ab1f4ca7c9f03dd780d7f8100cac8caf66880761d128af3664b6be199 |
| SHA512 | 79306950f4efd0b72aa16dd27f60113ce0a89cad1fc2c48c051efa2905a1f1c4613e000c6b1347b1e27a68b700aff0d43d7d607919f7d6f0abb24ec07921115d |
memory/1508-136-0x0000000073DD0000-0x00000000744BE000-memory.dmp
memory/2064-137-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2220-138-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2496-139-0x000000001AF90000-0x000000001B010000-memory.dmp
memory/2628-145-0x0000000002350000-0x00000000023D0000-memory.dmp
memory/2064-146-0x000000001B3E0000-0x000000001B460000-memory.dmp
memory/1924-144-0x000007FEF19F0000-0x000007FEF1FDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | ea345663d18bdf0b44337a7f5a7dddf8 |
| SHA1 | b077273b9e7013f5aaeeda448046cfedd999a4b1 |
| SHA256 | 6866b6af206bd5ac4859cc040c370c59b80b5b8a5ac16dc8478839ffb3470d06 |
| SHA512 | fd6e91368de5632d88ab39fa5a3e4f3787639209608b3c5f0a07bbd3052b3c1556fe2a1993fe90acf4a114ec76809113288c173ac9b878327402a171bb459ff2 |
memory/820-140-0x0000000073DD0000-0x00000000744BE000-memory.dmp
memory/2300-148-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
C:\Windows.exe
| MD5 | b5b478925750940a062f220b5443b838 |
| SHA1 | 49637528cd5ccbf75d2eda3bb0fb649b5dc60859 |
| SHA256 | bf8faa8891d3ccbcfc8cddde27db59e631ab6122b9d0de4d08551cac3e9d3993 |
| SHA512 | 4253f646b0e4cefabfca70316b8ab8434690fe9d88eafb201f4c5611d429821df3982ce97d2f97d80196b6afa7ac201c22084fca0a3ef8a0b269dff4bb9fc947 |
memory/2064-151-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/1796-150-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/1508-153-0x0000000002010000-0x0000000002050000-memory.dmp
memory/2220-154-0x000000001BC20000-0x000000001BCA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b9a56ceeb4c5283ed11ca0c19ca577a4 |
| SHA1 | cf7bef243c5f38f8b4f28e43e4451a47c4779070 |
| SHA256 | 0249694b09ee15f493c4c6f95e7066b03414935edf76ec09d7a73a3e61c35e6a |
| SHA512 | d5ce4bb6a3c2a34c30a8bab4f3e26368dabe539853ee22f4c9450fc972dc82e02ee884da77ac5d93cb481387102d693eedc9bbd079caf69c58f010b4b998120b |
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | e3c88b5959270379646480c6020de061 |
| SHA1 | 8851da7374822cef74b20290c74ef47c27625d1b |
| SHA256 | cb2c4ba946dc16c10436288dd5842142663517ab50248ba21bcc3193af837fb0 |
| SHA512 | 128e25edd484346e4568959da74d0bc0e872ce9333ac82c9c0a2078660da89c576e663ac265cee86b8f48296e0fe235b28ff4f6a144553a6c53cc13087e6b449 |
memory/2652-161-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2648-162-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2496-163-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2788-157-0x000000001B480000-0x000000001B500000-memory.dmp
memory/1796-156-0x0000000000C40000-0x0000000000CC0000-memory.dmp
memory/2628-155-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2788-164-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/1508-165-0x0000000073DD0000-0x00000000744BE000-memory.dmp
memory/2300-166-0x000000001B590000-0x000000001B610000-memory.dmp
memory/1796-168-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2300-167-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/3004-173-0x000000001B410000-0x000000001B6F2000-memory.dmp
memory/3004-174-0x0000000002320000-0x0000000002328000-memory.dmp
memory/3004-175-0x000007FEEDF50000-0x000007FEEE8ED000-memory.dmp
memory/2220-176-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/3004-178-0x0000000002A64000-0x0000000002A67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 05de6c8b3ed5ca432baa3146e514e2ba |
| SHA1 | b5e71526d0d63a1dde31c3ff6c65beaada2f6c46 |
| SHA256 | 1138a214dcff68f7da496582a046a221221356af9c235b8dd168a63db88ae760 |
| SHA512 | 59fc6c58ddb3557173dfda11df63250e21bec12f0d8575b51e084ad6905235e8000d1f7f066c8d34a4ce505d74a341a1f1792c237cb274f82bf608d28baabb15 |
memory/3004-183-0x000007FEEDF50000-0x000007FEEE8ED000-memory.dmp
memory/820-185-0x0000000000380000-0x000000000038A000-memory.dmp
memory/3004-184-0x0000000002A6B000-0x0000000002AD2000-memory.dmp
memory/2628-190-0x0000000002350000-0x00000000023D0000-memory.dmp
memory/2648-191-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/2492-192-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp
memory/820-189-0x0000000000520000-0x0000000000560000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 8feab69ab900119981c94d0b1381ca92 |
| SHA1 | 5d96af98783cb63997bb1e102e8be1868f3dfbb3 |
| SHA256 | dc1522f3ee13fcda5b022aee70a06303be810862ad189256d7d82e4fdfcd2f4d |
| SHA512 | a9052fd90287076d155f95e0aa91f6e02e2f88ba33e09b728ba98194a413bc51b0ef88c37dab2e6199fa0c2b42a9756f6ed3352269824936270edc3f324c373d |
memory/2648-188-0x000000001B480000-0x000000001B500000-memory.dmp
memory/820-187-0x0000000073DD0000-0x00000000744BE000-memory.dmp
memory/3004-182-0x0000000002A60000-0x0000000002AE0000-memory.dmp
memory/2496-177-0x000000001AF90000-0x000000001B010000-memory.dmp
\ProgramData\Fluxus V7.exe
| MD5 | 7b7ec8bdb7bc564af7811bf15bf75de5 |
| SHA1 | 1bcf9c2b6c92a45012c58d7b78f1a11d1a723fbc |
| SHA256 | 81d736f2183f74cac2eecb90a4ae3e614d0d2e0299daf768bbb2d1f44a4a1167 |
| SHA512 | 44da7a1da740f905fc711ddf679d9f62e083d22b3cb735a5795073defcd3a5a7da0501596ab345184bef410bb398cd65767ab963b976f5dced8e1bcd0416acb6 |
\ProgramData\Fluxus V7.exe
| MD5 | 32a764179d5cf7e3ebbaca38e11c89fb |
| SHA1 | 4c387f1405e896bf782f8b8d1bc2030cc50c8c08 |
| SHA256 | 78c6688e982bfc771c563cb3577c9e0ba87f3cdb2008a7fd6e0bf825ec95cc26 |
| SHA512 | d264db17f6603ece03eff392a3dd6da323a2e4b82857be87e96ba8b739e158a6363aeffb0bb65b075caccf053672391ece3672c2248d9d6537b8fdaaa659df51 |
\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 2853a37d765b4f6b9b81a1ce7b7b541c |
| SHA1 | 3c02297a6955401795562e39682f1163619435aa |
| SHA256 | 8037f75f1bdab4448218bc03ec435290d3ac59399c63ec63c60f7e611ab5f9d7 |
| SHA512 | 2b1d5e0a08a6a0651c16ba02b97f89e20ee68776501cebb4b86d14d95393a32c79e122646f35ddff5e0c7dd08f2616fe0eb6d22a359b95ed7f5c2c5398116be3 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 679623527d52f2f7b3c6e2aa055db957 |
| SHA1 | e9911e95ee7457ac68f082d269dada709899d89d |
| SHA256 | c35543b31dc16ed79a76469f411116923513114c923fafcce312d4366ca8253c |
| SHA512 | 8b695711c3b10a27683df22108aaa8fcaf8da6455afae8ea7cb33929ce6b5d35c287bd478c2ef98e1b272b2fad892ea2f2b84aaa65f761e2ff932ddce4fe563e |
\ProgramData\Fluxus V7.exe
| MD5 | 2055d65eac2eeece22fe56abcee73712 |
| SHA1 | 9edd455af3212650917e11bcb974aca6b1a2a7e8 |
| SHA256 | 387bcaed8f7150eb53f5f991f5a3bd3312c113b7c7dbb18070790a3ba067bc11 |
| SHA512 | 06af367583d1eadbc1aaf82de1b1f4f5907c0f0c46541fec3fca9fbb182861d14f3514c24e01f4d37301a049aad46877923ef0bf4f737bd6a995ae6a6eee1e8a |
\ProgramData\Fluxus V7.exe
| MD5 | 959df900b281d424493154cb230fca71 |
| SHA1 | 7f1982b5ae7de3f4f291e5a9157190a90942d79b |
| SHA256 | 705efb98fa2bccdf40e812e79e49b6fa58efa4d94ca7a985c01defdc3d20950b |
| SHA512 | 3c25e5cbc61281645c086067173a5e1eb3888c57768815bd54c1b5740f973ba89240ece10ccea828a8cd33dbef47e0d0d81cb78dd2e07dc42a5e24889764d2f4 |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\ProgramData\Fluxus V7.exe
| MD5 | 9f6d03fb5385d3c8cdd3e10b16698c25 |
| SHA1 | 51a90e75b8ceb23fd165f8146ab27122bc859798 |
| SHA256 | 4068bc37cc1bc50c3eb7d970e4e164b907b7af0bd911a2ec3d6caab78fc6c102 |
| SHA512 | 8728a40ac64871fe26f9fa96c4a33a2338134ec455b1d297f1a87e563e7355126e27b496a35f3a161b9fe0e913fb9822d2293237ae795b5b82c9eee45ec406a7 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 1977fd8b6bd8287234898b4578ce96fb |
| SHA1 | d0774f21d51d45e88128ee44a1ded0fd3ee7cd94 |
| SHA256 | e074d796ce405c9b1760f35d511a291a2154dfa765935e2cbe90fb889897996d |
| SHA512 | 002766ccb986b638b10fff5a744b0372b9106997e236fe8dd36711328e4aa81f24aa60a6f164f77ddb99e2f8d35febbe00d78fd553872867fe179d20ad15a880 |
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | f3d43e332dd898f240b5b42c3d41ad35 |
| SHA1 | da619b6a1a57fce3f803362d6dad3d660f2e4309 |
| SHA256 | b3ec94de12b665a4a909049940480a5b8eef90d19974bbc20fd00d015e541ef7 |
| SHA512 | b29a1dd70ed3b3418e028d396dd57711d7b8a506f97100cc7f4ec974469ca5f2b505b06cc0562fd4b17de7cc6c23ed9d4a03a6888371996634aec019d9a9cfd7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 14d1644ebef3d75fb348299000ade70b |
| SHA1 | eaf469f9752ca4adeb504f2e6d958c1183a1bb56 |
| SHA256 | 5f8d8ecf56079b837f202fac22633de51a4df8ce335d7047caead7310ba7db92 |
| SHA512 | 034c8bca5f12d21df9b9c1f630c76faae46862956bc6415f2b3d941393a4280cad25c5371dee78d04d1a97341daa17e6b9681e5094b8caaa99d3cd89366f5986 |
\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 281a65b0abd4c8bc02236f60723831fe |
| SHA1 | 6df4b426f42b198065685c130f48b9dd4ce80809 |
| SHA256 | 71d8ff7f5ea7d1eb873373c6548f24baedce3c6c10d513993b6be653b94d26e1 |
| SHA512 | e8e039fd1b8a65307fcf5dadfbc020069f4cab2666a11a5d94b49bf38bde61c08f922b16aea254e8a69045d0ef9d4fb8e1b85c6b5190f79d7891fe8241681000 |
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 85f78b1fb70b90fca740bd7a3bbdfe92 |
| SHA1 | fb428d79796062612c68beb7db74d0d2278d3d1e |
| SHA256 | 2ed761e183b7cabd3239e2a3c639e935c0c8277bb49309757e61a181c00eaba1 |
| SHA512 | 326be1d5f4dc61dc998dbc8fd55ba7ea51e27d6668f73f0f5186832fa23c05534730d2af1aace68e42ec61c5b052a1a9960789dc952c94d0686298fdc96d078e |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | adc837c93ff4f9e880dfc9a603b4c9c3 |
| SHA1 | 9b295cec9ae2ddb8b69c27dc81fc854d66be5e94 |
| SHA256 | 2aff4ed41ce77b741987d2f1615ef641f4f6e1402cfa0e377bff2a9ebaf7a82c |
| SHA512 | f9c099246a2f4b7bf16bc2908a28d72bbd9e1687bf4b92b0e09ad3df10b47dc31881ffd3220098b5f1942d04c10da6c181bf61c5d3b9adefde85a39e8dca7f84 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f653caaa7af9a8cfc5eeb1399f794f48 |
| SHA1 | b684abc1e33ec5ea38c8a12db05c98e4c4856e63 |
| SHA256 | a4abf927362abf66ce0a9a2dd88820c2c23a6560f72010fa73077b89882df696 |
| SHA512 | 2179afc8e1a4bc136b63f31b37471025baa66febafb956bdeaef5d480cf68be784b155dc75deb38ed6fc46c776b17c472869f2747021b9f415f329cb21b38171 |
C:\Users\Admin\AppData\Local\Temp\tmp72FE.tmp.bat
| MD5 | 116991a204f7dbd8446efe575165ad18 |
| SHA1 | 29cb55db5431052ff761893499c1046b9cc15b7c |
| SHA256 | 047155475ad18daabf71a004da1e62af01ecc468b0dfa96b99f6f64539f9d5db |
| SHA512 | db93b7ba4d18cbf5df00703ab28e2132b88a4b186f4d32512e8816875230cd5c916c10399bc7cb5bb8ac5b576937c52e97ff39eb4078a77212b518c2d9482ea4 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
172s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
njRAT/Bladabindi
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\ProgramData\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dеbug\BandeeraRAT By Donbas.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" | C:\ProgramData\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dеbug\BandeeraRAT By Donbas.exe
"C:\Users\Admin\AppData\Local\Temp\Dеbug\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB19.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\svchost\$77svchost.exe
"C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4500 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-licab.in | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | points-detect.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greater-questionnaire.gl.at.ply.gg | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | artist-shared.gl.at.ply.gg | udp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| US | 8.8.8.8:53 | stories-boulevard.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:34511 | tcp | |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
Files
memory/3964-0-0x0000000000D20000-0x0000000001BAA000-memory.dmp
memory/3964-1-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/3964-2-0x0000000002250000-0x0000000002260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b869e32cdac575ca23d73e7f9f046e6b |
| SHA1 | 2bc4ce47bb37e3ffb4faabc1015d2608a8fa96c1 |
| SHA256 | 4dc95e267ff2a5054ca354035113f16be23c06e374343b6db43b5a084b71b8e3 |
| SHA512 | d6913b3460d947043313d65458768d2fb5bb24d38da236ca88a00f61f63829e164681a22c41c3780e25001827a7219eac73b47dc26eed5ad46705c0b079c7e80 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 5b9df761d41adf1cdba899dc47d41409 |
| SHA1 | 29cda43ca20253b030f3c4de93b6c36d0076ca84 |
| SHA256 | ab96b5c9aae354a05ee803c841b5250420e92e5f5f4054058e8b956878e53656 |
| SHA512 | 510b6ffb57df41a14ba2fad373a6f3d13efd57365fb29a3752d88ba6aefc3a5b06663c946304b9532816701c560220808c531f7e92ca15380d64cf509dc0a948 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 04ab3aa7634999f2506a39dcde7588fb |
| SHA1 | 49d279d8601512082283e1bdd7ee37fce30f6bc0 |
| SHA256 | 98e81ae91b1994fc79ff7471311d3e3046a935b5957aeb47bc49408f36ca0ad4 |
| SHA512 | 76f33413d31fa4112083eee0ecac0007791a150210201c898d62d07afcdba3f1f29a21c2098c76e48476eedf1cc45b3b3202f8a796b43f7b387bce4ec684ec3c |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | afe87dd8720d4093d717d27c541fc83d |
| SHA1 | 31eaad3d775d0f3e9d8d9cdba75b85ae6e6f9442 |
| SHA256 | dc9fbb9ff106d762bf2d58f76ad914dfe68748df863e974ca67a9ac0b844de3d |
| SHA512 | fe680b077c8096d98e6483549d97926628e8190833601ab08c06cb22edadf1c1c8f5bf609da0bf418bd942c83ac945710594e7062fdb69bcae9749bed67c7bd9 |
memory/2156-23-0x0000000000660000-0x000000000097E000-memory.dmp
memory/2156-17-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | a24720213eb117422d68fbca7d107c39 |
| SHA1 | 6427b905dffad5560ab577d6c48ef1daccc28f6b |
| SHA256 | a859eefc95a56ff794f6030d15f8396a496c3c79824c2a211478245e69a584d3 |
| SHA512 | d75484bbc36ec89f84ff919202678eebc164005ada3960d6bd6cd3657155745c8cc0611cb4e102df95bc858ba738b410b41925de5970765e9f359bcb13289b03 |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | 0a07ff346a316495e23b80d5d06b4421 |
| SHA1 | 5ce608000e2486fdac03e9173dc54222c33a3f73 |
| SHA256 | 6ff626891b8b5d057cb3128547831253058801e738e8b2a06ef0d49a2eae3622 |
| SHA512 | 1796328a487815d9c482838c5a4b4e790b39b47e292a8ea21db69dba9c7cc12ddc42a8baf55480f8adcade8869941e975ce4c20e39d50492909b7e3e7a8b597e |
memory/3964-29-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/1184-28-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/1184-30-0x0000000000DF0000-0x0000000001952000-memory.dmp
memory/2156-31-0x000000001B6E0000-0x000000001B6F0000-memory.dmp
memory/1184-32-0x0000000002110000-0x0000000002120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 4f22aaa51898a3fdcd3a33aa5d8babd4 |
| SHA1 | 09accd635d30abf5fab8a0ecc49a8f99cf55841e |
| SHA256 | 4a3157b29849b334793eae954ee92d6a3bb16631817b744e4e1eef9b3dcca8a2 |
| SHA512 | e089b7e2d41ad33c1089d40bfc8d093c4d76bf22d73c602d3d2052dd29ed6ede0d47b0994eb232d294450ef3e02f506297c4a400e6f63618a339fa701e7748c1 |
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | b3e87e13d1ac74109b7369dda7dae0ed |
| SHA1 | e4d982394327fbcc5cc164dcc5d80af2dc5d3bb9 |
| SHA256 | e9b7245c3b541813648df3e2b3adaa67412b1a991207835d775525be7972b27e |
| SHA512 | f811e5c6e82e1afe5ab62170688b9f3f6e52a547b9ebeb0d158bfbe79bd1dfa4754746941613372307035e0bed90eba050544c4af16ba8d664805ada0bcfde02 |
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 701df65121e1977fdf160bd9cfb9bb6a |
| SHA1 | 5fbbddbad5e0ca509b60134f78188f255bf6b74e |
| SHA256 | 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1 |
| SHA512 | 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607 |
memory/4816-54-0x00000000003D0000-0x00000000003DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | ab1bbb41c6c90c3b6d93a9be5e352995 |
| SHA1 | 70cd2de832d76014d7f50ee1a16e89fba701b659 |
| SHA256 | 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45 |
| SHA512 | 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2 |
memory/2156-56-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | a405dc2681765678532e7cfae29b34a4 |
| SHA1 | 3cc9047de8c7c77f0b371e1543129fc7b7d58ff5 |
| SHA256 | 56ba4eabfebbf5cdb147af0441cfe6f11ec8f9fc407bab8905f0d91282c19a48 |
| SHA512 | 70d591e8abe891bfa81a1e20e7647f830a771688213cfe95a47876f2b3af3323a6673bd8c3cea349597e6cd51a05bfcdfd92aa2a057724fd31e28243a9fa23cb |
memory/4816-72-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/4820-75-0x0000000000210000-0x0000000000D7E000-memory.dmp
memory/1184-74-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/1348-76-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/1348-73-0x00000000001E0000-0x00000000001F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 5487a2eca8d72c82cda225bf245ac6ba |
| SHA1 | 406afb545c8bd13f3f5b5902c5c647530531a9aa |
| SHA256 | 11f9de81a42ac9dd4eac3a5cd011161d95912e901e30671f11ec398e9da543af |
| SHA512 | 374afbd3ca79631d9a50c8ce51f6a28357594bbeb40bdcad50868c07355afaa99d7d5c35375d2d5c910249ac5c47bd1257a63571248995f8932a0a1fb67bf8d0 |
memory/2736-55-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/548-93-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\ProgramData\Cheat.exe
| MD5 | a495f7df4cdb2c9febd69c56ff6563bc |
| SHA1 | f95944cab464e1d89b671be7ec345d44e9bf8a03 |
| SHA256 | 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052 |
| SHA512 | 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7 |
C:\ProgramData\XClient.exe
| MD5 | 9ecb9d48c8da1e49862a32f5d32e3c9b |
| SHA1 | 20902b0b25916dab87b0a373e6fa28ce26feed49 |
| SHA256 | fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff |
| SHA512 | 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3 |
C:\ProgramData\Cheat.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\Built.exe
| MD5 | 9c9ca9f8b36cd5c2e77026717b3a5cc6 |
| SHA1 | 7ba8e268c1f0ae55e757edc22fd23fe094a4357a |
| SHA256 | 9e04f7e7f98487ad77815cfa0bdea345d3035746e142095d6c471ac591893e52 |
| SHA512 | 9b7263015b920430fc3b67a141f942d2dde9a194670300f8a5071e10fcc4b2dd6c33489001b04075a4f76e8d3ec77c0d26795512d78a769dc5c58dda6c304349 |
memory/4820-115-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | bf96e2f0d311279c7e1973c8162742bb |
| SHA1 | 4533064abb541fa6539fdcf6d633e5ee19822e24 |
| SHA256 | c124c2806e5bea157d37e7d9f302ce679244a054c6f28f961589f2a8f7327d54 |
| SHA512 | 832bf49e9bb0e49061299894e131640ff1cf0bbc4c5d355f8e1d92babf1783fd0407d57451698ab6937a8ad6e7a2a66d85b52461292fbea409de3c1a0989e5eb |
C:\ProgramData\Built.exe
| MD5 | f5ab537b52c809ae9525dca97c02777c |
| SHA1 | 6633f2eac7d799da7fc44e8d6879092d1085af8a |
| SHA256 | 2b99fe51133d2e3129a567625bf3621ab7d4388896f683522b671aa46b09c6a6 |
| SHA512 | 60064d1430a568510bad0bdf4964f9700bea0e78390a62b8490dea9e262c8e93b3161884c557c845f997cf830b89b5257cef12e9aa76fb9927e6fecfb6757a74 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\python311.dll
| MD5 | 9b133c30d5ecfa05ec7d108b42915d67 |
| SHA1 | 46dcfff91b2de22aeaf317f36acf4be86286b640 |
| SHA256 | 4a33bdbac45b0a6ca8ca5f1fc9c507f88013bae57d5f4d0c25e8071cbfcfb342 |
| SHA512 | 9a35bfe914eac47d2c3732314a88a471236db3cd6aa2890d1268c6e7b7b5d1c73188cd28c20b6c9e89e641f99864f881cab1dd3747e60c4deb92d294a39871a0 |
memory/548-137-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
C:\ProgramData\Fluxus V7.exe
| MD5 | 0e1388170459227acac2eff3822ad837 |
| SHA1 | 999664c0dd92bf7644a710ca2932b90e0d295611 |
| SHA256 | bd6db38adf387b15facd89fc53c6c11d1355191b735ac17c322d8c6b907115d7 |
| SHA512 | 196b538d1d65eef3b3ca155b4d5147d1a7b972563b26a89b999448e660a69519c29a86d23ef22ff1067dc301c7b2ff159de9867ff4da62a16154bd4822a150c9 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_ctypes.pyd
| MD5 | ee2d4cd284d6bad4f207195bf5de727f |
| SHA1 | 781344a403bbffa0afb080942cd9459d9b05a348 |
| SHA256 | 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009 |
| SHA512 | a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_ssl.pyd
| MD5 | 936919f3509b2a913bf9e05723bc7cd2 |
| SHA1 | 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd |
| SHA256 | efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3 |
| SHA512 | 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_sqlite3.pyd
| MD5 | c9d6ffa3798bb5ae9f1b082d66901350 |
| SHA1 | 25724fecf4369447e77283ece810def499318086 |
| SHA256 | 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec |
| SHA512 | 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448 |
memory/4428-168-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4144-173-0x00007FF96D7A0000-0x00007FF96D7AF000-memory.dmp
memory/4428-171-0x0000000000120000-0x0000000000136000-memory.dmp
C:\ProgramData\Fluxus V7.exe
| MD5 | e77a6c753d70fadeaf71d850ad181b48 |
| SHA1 | a4e32d2635c15cf60aad41c75b798dc44c78b328 |
| SHA256 | 1f9c53fdc5e795849a6d57b13c17794aca8b9e07725d613a7ec6442cc5acde4a |
| SHA512 | 17af999009eab764a4943d173ff62b0af57cc036b0e34998d2241a83cf1150c562534997843e9907ed78b31537298f389832639d78457890aa71243cd731d058 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_socket.pyd
| MD5 | 3ea95c5c76ea27ca44b7a55f6cfdcf53 |
| SHA1 | aace156795cfb6f418b6a68a254bb4adfc2afc56 |
| SHA256 | 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923 |
| SHA512 | 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_queue.pyd
| MD5 | 8b3ba5fb207d27eb3632486b936396a3 |
| SHA1 | 5ad45b469041d88ec7fd277d84b1e2093ec7f93e |
| SHA256 | 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051 |
| SHA512 | 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_lzma.pyd
| MD5 | 5eee7d45b8d89c291965a153d86592ee |
| SHA1 | 93562dcdb10bd93433c7275d991681b299f45660 |
| SHA256 | 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9 |
| SHA512 | 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_hashlib.pyd
| MD5 | 6d2132108825afd85763fc3b8f612b11 |
| SHA1 | af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0 |
| SHA256 | aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52 |
| SHA512 | 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_decimal.pyd
| MD5 | 918e513c376a52a1046c4d4aee87042d |
| SHA1 | d54edc813f56c17700252f487ef978bde1e7f7e1 |
| SHA256 | f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29 |
| SHA512 | ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\_bz2.pyd
| MD5 | 341a6188f375c6702de4f9d0e1de8c08 |
| SHA1 | 204a508ca6a13eb030ed7953595e9b79b9b9ba3b |
| SHA256 | 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e |
| SHA512 | 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24 |
memory/2736-174-0x000000001BBA0000-0x000000001BBB0000-memory.dmp
memory/4820-176-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/4432-177-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4432-178-0x0000000000E90000-0x0000000001284000-memory.dmp
memory/4428-179-0x0000000005020000-0x00000000055C4000-memory.dmp
memory/4144-180-0x00007FF959840000-0x00007FF959E2E000-memory.dmp
memory/4428-175-0x00000000049B0000-0x0000000004A4C000-memory.dmp
memory/4816-191-0x000000001C100000-0x000000001C110000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BanderaRAT.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/4144-197-0x00007FF95F280000-0x00007FF95F299000-memory.dmp
memory/2736-201-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/4428-200-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/4144-198-0x00007FF95F250000-0x00007FF95F273000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 58c5df5cfc1820f91b41baf966410070 |
| SHA1 | 20e6ce27ca19688d62a6923e2a26e6d9008cb918 |
| SHA256 | dbd1955a8eca3841b55d3d353ec5fded2ebb61ba97fa5709819c3eba5ba12fc1 |
| SHA512 | 2675698ab6a8f4c0a71814f2092a64ef548206bf9f378035bfbe2ed3fc59e1a9c33373ecceec6aa592551fdd258d22b7917d9afc875802b410041f5884c1fe03 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\select.pyd
| MD5 | 2398a631bae547d1d33e91335e6d210b |
| SHA1 | f1f10f901da76323d68a4c9b57f5edfd3baf30f5 |
| SHA256 | 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435 |
| SHA512 | 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libssl-3.dll
| MD5 | 6eda5a055b164e5e798429dcd94f5b88 |
| SHA1 | 2c5494379d1efe6b0a101801e09f10a7cb82dbe9 |
| SHA256 | 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8 |
| SHA512 | 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libcrypto-3.dll
| MD5 | ed1e8939bf8db2e2d95c9cd7917cd204 |
| SHA1 | 2c6c223f1bcb12abaa7d2810860fd969f3d17a24 |
| SHA256 | 3c62b5bf7e70543ab5d799235afe4667518106c0b3254544f0886db25e4e0cd8 |
| SHA512 | b8df2eb7b9b3fcae3642279b322e3ecd2a5839f33ff25071c6c962ecf2c88d8a23db07c2c27cac9c987c463852455da05c8098b25f409a0aa030420cc32187cc |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\sqlite3.dll
| MD5 | cc9d1869f9305b5a695fc5e76bd57b72 |
| SHA1 | c6a28791035e7e10cfae0ab51e9a5a8328ea55c1 |
| SHA256 | 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee |
| SHA512 | e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1 |
memory/4432-210-0x0000000005F60000-0x0000000005FF2000-memory.dmp
memory/4432-211-0x000000000A8F0000-0x000000000A8F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\unicodedata.pyd
| MD5 | 6279c26d085d1b2efd53e9c3e74d0285 |
| SHA1 | bd0d274fb9502406b6b9a5756760b78919fa2518 |
| SHA256 | 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6 |
| SHA512 | 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9 |
memory/4432-213-0x0000000006C70000-0x0000000006CA8000-memory.dmp
memory/4432-214-0x0000000006C40000-0x0000000006C4E000-memory.dmp
memory/3944-215-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/4144-216-0x00007FF95A0C0000-0x00007FF95A18D000-memory.dmp
memory/4144-217-0x00007FF956C20000-0x00007FF957142000-memory.dmp
memory/4144-218-0x00007FF95F240000-0x00007FF95F24D000-memory.dmp
memory/4432-219-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
memory/3412-221-0x00000000027C0000-0x00000000027D0000-memory.dmp
memory/1348-224-0x000000001AD90000-0x000000001ADA0000-memory.dmp
memory/4144-226-0x00007FF96A820000-0x00007FF96A82D000-memory.dmp
memory/4144-229-0x00007FF95AC60000-0x00007FF95AC74000-memory.dmp
memory/4432-230-0x000000000BE30000-0x000000000C458000-memory.dmp
memory/4432-228-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
memory/5272-231-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/548-233-0x000000001AB50000-0x000000001AB60000-memory.dmp
memory/3944-234-0x000000001CBC0000-0x000000001CBD0000-memory.dmp
memory/5272-232-0x00000203F7DC0000-0x00000203F7DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | c453dab7702f21ea1c43a8a2c3995d5d |
| SHA1 | 73275f534a17798f4ffb02f52715057fffc27d10 |
| SHA256 | fba0aafbee84b5910cf21931ac4e2f6eb836ad079094fe148776cb683af2c511 |
| SHA512 | 38cb4e5577ea59d5ac25d40a90f43680d5798182f2dc127188848e0e7631cc1d3c1f6d25473f1410482cfc5b6f631550fd2c0c1963619c63ec63d3e486e36463 |
memory/4816-235-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/4144-227-0x00007FF95AFB0000-0x00007FF95AFE3000-memory.dmp
memory/4144-225-0x00007FF95EA10000-0x00007FF95EA29000-memory.dmp
memory/3412-223-0x00007FF95DE90000-0x00007FF95E951000-memory.dmp
memory/4144-222-0x00007FF95AC80000-0x00007FF95ADF6000-memory.dmp
memory/4144-220-0x00007FF959FA0000-0x00007FF95A0BC000-memory.dmp
memory/5264-236-0x000002D0430F0000-0x000002D043100000-memory.dmp
memory/4144-240-0x00007FF959840000-0x00007FF959E2E000-memory.dmp
memory/4144-253-0x00007FF95F2D0000-0x00007FF95F2F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maq5mpgf.5ns.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4144-187-0x00007FF95F2A0000-0x00007FF95F2CD000-memory.dmp
memory/4144-181-0x00007FF95F2D0000-0x00007FF95F2F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI8802\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libcrypto-3.dll
| MD5 | 27515b5bb912701abb4dfad186b1da1f |
| SHA1 | 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411 |
| SHA256 | fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a |
| SHA512 | 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\blank.aes
| MD5 | 291948ee8e8927f3a74e829695ff9b43 |
| SHA1 | 2d28ac4941f4095b8ac4340e4b626af45da15625 |
| SHA256 | 035ba985560ab044aa1c4c413dc1b5706031a6143cd38606e57b5da145aaac6a |
| SHA512 | 924ec1ba39ef26332855871222945b5d5197a7782387175e764558ec410f1f0dab9f8479575e582479e645c3af23d9264141b61846458489e335d308d6024906 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\base_library.zip
| MD5 | 9d84222015f5e2d8afb5ec74d6808ad0 |
| SHA1 | 38f7c2439e7829cbd2837be1f8b0380ce5c8e444 |
| SHA256 | 20adf37360e803029eb7f0a99ec882f277765193f6d4bed683a391c06959581f |
| SHA512 | 5939f286d47d8ad459521042781d666ff4f99a7b1e4c5747f32f4b3604abca9171fa777ea6453f2e169a4c62931d960b231894fa8faaae0e531c0f232a30e906 |
C:\Users\Admin\AppData\Local\Temp\_MEI8802\python311.dll
| MD5 | 76eb1ad615ba6600ce747bf1acde6679 |
| SHA1 | d3e1318077217372653be3947635b93df68156a4 |
| SHA256 | 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1 |
| SHA512 | 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb |
C:\ProgramData\Built.exe
| MD5 | 022c90d2b607ce098df042969f1ff10c |
| SHA1 | ba9e320d766bc4e131c51c115275dc0efe2b8df6 |
| SHA256 | 60e2391c0b640cbed4d5773ad9d65a54dd07e03afa18d410ef8b08d90a2a3b07 |
| SHA512 | 84cbcc875dd977d8b319fa68a472bf6ec3b7f923e43ab10fd88102bc02f46180820e427416bb5a95da57302b151703df298b9eb9c37ac93e98da0e181a7a5f31 |
memory/4144-306-0x00007FF959840000-0x00007FF959E2E000-memory.dmp
memory/4144-314-0x00007FF95F280000-0x00007FF95F299000-memory.dmp
memory/4144-317-0x00007FF95F250000-0x00007FF95F273000-memory.dmp
memory/4144-319-0x00007FF95AC80000-0x00007FF95ADF6000-memory.dmp
memory/4144-322-0x00007FF95EA10000-0x00007FF95EA29000-memory.dmp
memory/4144-323-0x00007FF96A820000-0x00007FF96A82D000-memory.dmp
memory/4144-326-0x00007FF95AFB0000-0x00007FF95AFE3000-memory.dmp
memory/4144-328-0x00007FF95A0C0000-0x00007FF95A18D000-memory.dmp
memory/4144-330-0x00007FF956C20000-0x00007FF957142000-memory.dmp
memory/4144-332-0x00007FF95AC60000-0x00007FF95AC74000-memory.dmp
memory/4144-312-0x00007FF95F2A0000-0x00007FF95F2CD000-memory.dmp
memory/4144-334-0x00007FF95F240000-0x00007FF95F24D000-memory.dmp
memory/4144-336-0x00007FF959FA0000-0x00007FF95A0BC000-memory.dmp
memory/4144-310-0x00007FF96D7A0000-0x00007FF96D7AF000-memory.dmp
memory/4144-308-0x00007FF95F2D0000-0x00007FF95F2F4000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\PORTS.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1628 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1628 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1628 wrote to memory of 1224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| PL | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2276 wrote to memory of 2844 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2276 wrote to memory of 2844 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2276 wrote to memory of 2844 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2844 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2844 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2844 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2844 wrote to memory of 2628 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DET.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DET.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DET.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 2f80bf344ba03b251dbcd0c4296516aa |
| SHA1 | 06ebb124cdba9d6d20295aeda2b6e473e62e548d |
| SHA256 | 1fad86fabd5cc6452fba0e99ef92fa0cf824241b99baf4fe4fb89cd253308d68 |
| SHA512 | 75e0bdbc1b1bbbc25adb14f9d90275f8b38546d87035c5c5630072973fdc82e8ba94aec8ba46f6f9ca7f3d5b28736d2cb7c87eb1174489e1d25e199e4958341e |
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
161s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Dеbug\LimeRAT.exe.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4396-1-0x00007FFEA1F30000-0x00007FFEA2125000-memory.dmp
memory/4396-0-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp
memory/4396-2-0x00007FFEA1F30000-0x00007FFEA2125000-memory.dmp
memory/4396-3-0x00007FFEA1F30000-0x00007FFEA2125000-memory.dmp
memory/4396-4-0x00007FFE9F7B0000-0x00007FFE9FA79000-memory.dmp
memory/4396-5-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp
memory/4396-6-0x00007FFEA1F30000-0x00007FFEA2125000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 2540 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1100 wrote to memory of 2540 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1100 wrote to memory of 2540 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2540 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2540 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2540 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2540 wrote to memory of 2576 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\LimeRAT.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\LimeRAT.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\LimeRAT.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 166e50f744608f06af40a0b6cb7ca919 |
| SHA1 | 1265b4eff2d974924b97a5c105b679ff1c259b07 |
| SHA256 | b2eaa2346e8a3f709d8d4343960767b5de9abb4b55e8ad8bcd43ecc368be846a |
| SHA512 | 7c9b02060ee8a1b1ba796c7d935513606f79bcd18320f417a636f0d3bc480f5fd3156337da0caa57fdae566f4b7b920fce233ac2da7c886a894d6000fae0057b |
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 2560 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1560 wrote to memory of 2560 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1560 wrote to memory of 2560 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2560 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2560 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2560 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2560 wrote to memory of 2600 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 17783c627f063d21025531b00e427984 |
| SHA1 | db73a5a7449f74a1b3779a85ae67ec8353a6a166 |
| SHA256 | bcc677663b9ad74fec3814c8e3b69ec40b83c4a89897f0b47f6e9809471ae52a |
| SHA512 | 7b80be640d571a57ac5130619293d4bf3bcf10378dc10c41860efaec6e2ed6637bc50015564ac2ce1da97da458a119a26733ac09068faa5f91a1e7f8bb213a03 |
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 2764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2956 wrote to memory of 2764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2956 wrote to memory of 2764 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2764 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2764 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2764 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2764 wrote to memory of 2684 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\ENC.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\ENC.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\ENC.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 96874e7e5244f74428f1f48ec90d706e |
| SHA1 | 8c79f70a124bd0a733ceb81dd6555f15e4b98e43 |
| SHA256 | b95f07e678f1e30840788db992e57a430481f655c6b80ba2c6b651fa0af90dbe |
| SHA512 | 0e8dfcb0100dee0a7dc151b8bbc0626e19fcc5f542b711638bfd15cda6cfb15ceb6f373ccaec2e4a7255afbc44d508143dc7cabf6dc1705b5a318f85789af7f6 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\MetroFramework.Fonts.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
167s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\GeoIP.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:49
Platform
win7-20240221-en
Max time kernel
240s
Max time network
311s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D61DFF1-DAEE-11EE-AFBF-6EAD7206CC74} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f7000000000200000000001066000000010000200000002c133dcbb50f84cbcdd7a3b7dac8425c99e4944cc70eb93bdac71181006ae6ca000000000e800000000200002000000036256b5a4c5cf7790dc1b71ba9751bc51ea7744e491ee656f53df5132fde1d1420000000f6f6ede24909d62fe3d027c63a4d060c8f367508a4af6c226b38d84ec62df4a340000000fa9b61dc4762f70d4a254d853698681ebe4753e2e0166d8c9224109ece446087d427901a7459992360277be9c1b21054d704a6a965f017312afd241de9ce9553 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000185f95e2dac533cc208e5b32374c020606c7ccba3e804aaf84c3057b18630176000000000e8000000002000020000000ffb3b1ff82e904bbbb7991474d0705d16c3326c7353a54361bc4b8dc3fc5d940900000005763977c176dfea10b98aa079efa894838c84441e1671a85f8c97202589c46e333ea376b88300967ed891dc8632103e0b4ac599c90ae8707a531332845ea67fc12e4dbc4bac844f6863eb499480c15060e20e85e673f7ec7a51eafd09911011a71636ce390935a36594e30f7f26b343ab2a4022180f35c37cce15a91f0a55ad82467c5c378ec7754460a9d4884f64eac4000000062de17a9e1f0e086ed24006711a51957c1f51cc4bd312a6c21b84d1bbca82cc26eaff57f554dc9f373c49b7ad4027379c34457a4cee061b58a39177f054701c4 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b68b54fb6eda01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415804706" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Dеbug\LimeRAT.exe.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:588 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab2F0.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarD82.tmp
| MD5 | 9c89fec2ae02f2172136534f5e495a99 |
| SHA1 | 1080c260fd3040bb09bf4b0295eb95c89f20a105 |
| SHA256 | 95085f6e17435da6cf58d2df1a0db1896c94f57a778984643d2410cc1b8a07b8 |
| SHA512 | b3d364e61c5857432c368c764845a33fd4e944894dc4f9e7b9c9dd79f9452f49526a0396a6366e3f8bbc81f57378fdd2f8d604f18f5623cf1a8901198b55cdda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41c4d643062ab79624c7e60061def79d |
| SHA1 | ce33894c02d8bc00ecd1f284bbeea30f92140dba |
| SHA256 | d42057c6ad34f821e829525a250e4abba356bdc7f59fa167c3940238d85e62c2 |
| SHA512 | 32029443b91f67517cc817c9e4868735930a11445a2d5519f02ef0cd481509432c2d5c788f09efdb36f84c158a7223892143e4d60df219849f10ee6271150b81 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef77ee660b33b243ae9f42092f996730 |
| SHA1 | f84fd2c080c57d391dec0c4251ef299468c8fe9b |
| SHA256 | 6854302000f62a794a63e7d7207a8058eef58e7cdaac2e53ccdb8adeca00428c |
| SHA512 | 1f3252066c86a8ec12f3beb94c64edd719396a05aaef15b7669a382d280a4697ceb6bcf943db84d032158f41fc178f32025802655653c805ac09ab514b940352 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aa316e68fba1f06169afb237f6c3776e |
| SHA1 | ae17783fa02e136bc9f2fccf6884b84c49ce8e07 |
| SHA256 | 67098b479e59e8705cd4cfaa06a629373d9053e15f35030436b4abeaf2646f23 |
| SHA512 | dff3f17db1031d9dc00b82188b3f8f9c793deb59d34573ee5ed0983d05335b190a5c010bb4dd711892d9d0ef4c7e0de6e10c8d388a7b9e6d70b3a2097042a93e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca05fca9764cfbd17af40ac89504ad29 |
| SHA1 | 956d81fbc56962d48112941b20f194b6d3358a79 |
| SHA256 | 827f4c9ebfa5ed7b9530e91194f8529f594c349d39fe48ef0d2bae615b71b73e |
| SHA512 | b8b7202eaa5b3ce48a4ea60f8858e430be6c941ee25c7f21714095d565c3c89d20fc468b1ba69223b56ef5d4a7b7501b7ddeba2353bbf2a78a10b8cee6190bf5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd2aac917183c9d1f09ceb6b251eb21d |
| SHA1 | 276d7b6576a939033d1f1ec8662ea01104081687 |
| SHA256 | 2f22bb6608e141a2f6e0d472e223056fd8b65d5111202415e31a06e8454929f7 |
| SHA512 | 1dff33b3f1dd99f79210282165654b147c57929ba79333a5c20cb5d998c0200151c8d0c388e143c8e09052ddef42acecf1c1e1c84410a4affc3f5a518eb024bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e8c1fa9f864854e787a3311d1d95c4f |
| SHA1 | 39543e61847a65c7cddab215ab74167338e8aa66 |
| SHA256 | 5306e18f4c0f76eb3b8a4d2849d1dbe96e70b4a964358df316d2aefddad4e2af |
| SHA512 | 45367e8bc6c7483a01aaf8cb98e42fb7cc21441eb6682eb72389c1c955e5263aea3bc2661c60d1a6a1567716dee84ca9cc94a055421f2e3c9b45903c3d783f2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5665b0fd3d8351052eb17c7675bef659 |
| SHA1 | 99bb47da73055291245f7c7460066fe1e77fa8c9 |
| SHA256 | 2091094df2caaccda6616aa8df17171b715bf40d9e90b97c2504fdc1325f635b |
| SHA512 | 33e4c874b8869d5cff6b2a41f8a66bd288d7bd4f461c0aab1d92094981685a09701ea4d8d2bcc35c1333f0a45b9c6a205a19ac6170d3b102ccc15b0b3f59f69e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0497a3205138eb144994c6768572989d |
| SHA1 | 70f01317fe27d6c6a9f9b821d2096acb688091c7 |
| SHA256 | 98f2a6f6d125e0bae5aaa84bfadec2a20b57f64d753efeba56c4f2de8c315ecf |
| SHA512 | 2c29f812cba34095e0e492cdd4852f09ade082acbda0de69d00512b92b82904f7e87539b4372dd16db77a12dbdf2be2b9e794b949ab6351c4069ab54c601362e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86042e979648e5c0ebe518214763db32 |
| SHA1 | f052cd4ee955341eb0e4983340a2b2048bf1db25 |
| SHA256 | ca32896120d67ca0279646b6d773343662183d3d63c064efd3930da22a280e15 |
| SHA512 | 4060edd5a3b0d1e298f09c9186eb34c135c96ea283a2af7c40f071179e7f655f573b3f46d47c9404c92e8fc198c413a6ea6333b5bd85d05a8723857a1f23823b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f79682315b83bfa9a77635b5056f01ba |
| SHA1 | b22d603ae510da205890cb377389eb5855528331 |
| SHA256 | 3bdbc3a24ac7827d90253d33fc534f251093649a6ab12d879acf3fc14c8d6ce9 |
| SHA512 | 6a5f55baac8926f86ee6f0b0bcee642f3821a2ecac0938601c354497e9ad98a979db40337f37b4ff8e4f63739c7d3ea9947945f738e57086a9a6369d218346c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2fafe9ee987287fc460bae4c534511f5 |
| SHA1 | 793d5c47b54c7e0c6823acd9b43d0aa79445fbb0 |
| SHA256 | 8839dc7f9baa9c941afc855391f31c70f54eb7df1ddf2cd1249507ff02932f35 |
| SHA512 | 95bf7aa853d5ce224b4069af55ff1bb684036f7076bf78f3b86d30881f83f6776e080c5e6f90e4ce889bb68bf411618672bc728308a402d5fff961afd67f5150 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 040d09bf701a12292fa3cfe43bd85b16 |
| SHA1 | ac9884d78292d10efc6ca58366c501649a4f0be9 |
| SHA256 | 5b962e60b4ae6e8844fee101097dadbbeec76662307c862c866b2dba95a1d861 |
| SHA512 | a9e94594b67bd85e9ad2e0c2a9fd1aa067186f89c1be282757d578e3789e0b35fcdddc92a79995199f3a1c4c33524c29553f41380b02d04078ae18f7a35d1604 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dd6e3b7b864b25299524c1e511044e35 |
| SHA1 | dacc416efb1bd337c801f6dd8964a8dc07cd945e |
| SHA256 | db75d81ab933ee7c8b9b852775e35fad208b3a3de4188cb787354dd3797557cd |
| SHA512 | e8e2e47755640eb75ccfd53a6716e0a5155b51d8c6db37e0225665c46a754939051eecbe8f6ad536e6b8c80c72fc4a307d55ef7ca3d8b3c764d358cd0e25d10f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1dc115fea486eb78f2f6e8adef89d56 |
| SHA1 | 36345ae32462e7fd3517f65faa8540ef03cc901d |
| SHA256 | a8167ad193bfdacdbda387b7a731aeadd024000e83a106d7f892ea8cf6d42e79 |
| SHA512 | b16c89ca3d8609762261bf6e317126d8dfa1f94a185cb029926dfaee5900d04c6888cc5bd2755cff83a03b64e2e8987bacd2f72dcce93ec95b28035a77984ecc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a63f90a1aa8cc2dae3d59c3256098d0 |
| SHA1 | 1b0b9a8911e6947488a5b90e8165b587648b839f |
| SHA256 | 72cf6b1df37599a0dd73f3409585d4d55b5a6cde31d62872a88f6c4a8f7c641d |
| SHA512 | f89bf2b447a5da20b393226d4f5c59a86704db4eec4446cbdcb2a7eadd38692523d30d4d31c3be963f964c923a134710c43adecfccdb61014dd63d4a25f36c72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ada61133cdc1076b524e19f93f1ec78 |
| SHA1 | 359926323c37df91c3c90c797353adde02da13c5 |
| SHA256 | 221363f3c85b6f543b693fcb6c22cdf786815cf5daaa2321ebfea9e7f095b99e |
| SHA512 | 2c48f000119c87fb6e477a10b173ea5a4c81b14aa3dd8dcc792050cd0e434e29c7646aaea26969c0e2dba6e039f10fcb730040a1db0ed06894a114450badea68 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:49
Platform
win7-20240221-en
Max time kernel
283s
Max time network
319s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\dat_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\dat_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.dat\ = "dat_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\dat_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\dat_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\dat_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.dat | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 1404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1576 wrote to memory of 1404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1576 wrote to memory of 1404 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1404 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1404 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1404 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1404 wrote to memory of 848 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\PORTS.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\PORTS.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\PORTS.dat"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | aa509d15560072b63a583e3a32cd6b09 |
| SHA1 | 2e3c3b9d7a7e873afce13de1f6a0766c0cf95d2c |
| SHA256 | 19b6ff4a1d498604e0f7941ad846beb4dfee38cafad89ce73994c8a397d1543f |
| SHA512 | 6e2815247c12250cfd88129485ad6eaaedb04eafc510c128cc12c574534e7518431c2feb59bd82bc0ef0cef258ce14b0bc28eff5b7a7d5c7d0d0c26a558a20b3 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:48
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
197s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\ENC.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
157s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
njRAT/Bladabindi
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO009D14C7\BandeeraRAT By Donbas.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\ProgramData\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
| N/A | N/A | C:\ProgramData\Built.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" | C:\ProgramData\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dbug.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dbug.rar"
C:\Users\Admin\AppData\Local\Temp\7zO009D14C7\BandeeraRAT By Donbas.exe
"C:\Users\Admin\AppData\Local\Temp\7zO009D14C7\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Built.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp287.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\svchost\$77svchost.exe
"C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-kqeit.in | udp |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | points-detect.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | greater-questionnaire.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | artist-shared.gl.at.ply.gg | udp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | stories-boulevard.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO009D14C7\BandeeraRAT By Donbas.exe
| MD5 | a7dc477381eebbd02d15ffe698086945 |
| SHA1 | b4e35823b583e73cb2a4b06c8a6eb1242ab9abfd |
| SHA256 | d178fb59127c878bed66d5c0bfc20b8ba4370a71d13418972a57ffd7ad10f415 |
| SHA512 | fe5b56b4c9c0a0781faa3aede0445205b2fe42f438397d40e5cfea4f95239e0fa758a8716555c47681428c0620bdbf325457a84cddfef60f116b126f146f02a6 |
C:\Users\Admin\AppData\Local\Temp\7zO009D14C7\BandeeraRAT By Donbas.exe
| MD5 | 27840ece6dbf528824fe11b32c5a4830 |
| SHA1 | d4574b044cd42837decb6e2d60968f45d31c2a38 |
| SHA256 | 568aa8d7f061f0f3d5b225b9e80fab509ee78fda0dcd1378e84fd936b20dd8a7 |
| SHA512 | 473483a25979e4a5a29200aa2c6f03ff68c8d7ac93856f610e563bcbf1ee9688426dccb2733e43e020f0ff165031d5561f0f8a4816f32f87d50a8082ad645d55 |
C:\Users\Admin\AppData\Local\Temp\7zO009D14C7\BandeeraRAT By Donbas.exe
| MD5 | 8ed5259dd5b738fdfd40d33cae296cca |
| SHA1 | 5a44465cd1b42bad0f351120d45e96a3707821b1 |
| SHA256 | d016ded43fd9cb2034f46f1bc6501df538b751c3216f5c1b355778573509bc52 |
| SHA512 | 179503a3bd87803472e3978e3b929a7a2c34b81dbc8729d4b7b439a5009344f4e8f017d28d5ab4fe102ca26fa4cfd398cd3692c77ad061861d49570fa78d146d |
memory/1900-12-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/1900-13-0x0000000000F20000-0x0000000001DAA000-memory.dmp
memory/1900-14-0x0000000004040000-0x0000000004050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b869e32cdac575ca23d73e7f9f046e6b |
| SHA1 | 2bc4ce47bb37e3ffb4faabc1015d2608a8fa96c1 |
| SHA256 | 4dc95e267ff2a5054ca354035113f16be23c06e374343b6db43b5a084b71b8e3 |
| SHA512 | d6913b3460d947043313d65458768d2fb5bb24d38da236ca88a00f61f63829e164681a22c41c3780e25001827a7219eac73b47dc26eed5ad46705c0b079c7e80 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b5a1ee095351f7d004e047c49aa70d2e |
| SHA1 | 92a28485f2907c323169df67f98cc732e331c8b0 |
| SHA256 | b3d1512b4c4a45ed88a63eed38cea1a3bb64392a854b1024de335a72c6980a65 |
| SHA512 | 126f82fd6e79a19ad0107bf7711e6445982e464782d9fcb2423c8bb3f29ae8fd5a1562fc0895a1cebdc3ee78d82fec92732269627667f04e07c9f767dc4b76d8 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f28e4f84312c3a8e008d75a15c7a49d9 |
| SHA1 | f9d6d5f6227cbb45ed4846ee1154f9eeb796a8e5 |
| SHA256 | 8fefac5742c0e1671b877f9d851dfba9652ebf9d22c444bf2747f5d7f9d9e916 |
| SHA512 | aa21f098558f32f138a5d74f1a37cc83dfede02f408d7b6b26f79c04780e1a13769882c613d63ea03a98f86594e2437b8a9a11da924a5369b8d9d10c0d704ead |
memory/2340-34-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/2340-35-0x0000000000DB0000-0x00000000010CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | d8def3b5d222f4e9059e08e7100b526f |
| SHA1 | 66f201f392265f0abf6e261e0507221b9dc0d244 |
| SHA256 | 9e677be49cc2f5e137418603327bcea729da6e4caa46273b29702c99aa812351 |
| SHA512 | b97c17a8e01b14fa99d3c6d744ae3b8d72f8b0b281fec3f352cc7778642323830a6553ebd26ab2c1aeebb9b5138c66016f5b309b6b3b6f501b0b03ce1f859f88 |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | f263bbaa8ccdd839fd8aacceb39cef03 |
| SHA1 | ca5707846dc28d46b5e444609b84f2580d0489e6 |
| SHA256 | 87c4911543c99615b3f951afe0a84b9c6f88c1649bea11902ba4eda70f00ff4f |
| SHA512 | 255dfd5465fa5b6e2522b17026002c8550b9ec28801bcf127e854db3509dcfc4fa0d02923c61e391b30db242734aa26a12423e2f9e82d30211fcea37f3433307 |
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | c2eb0a2170e91c1ad50fdea8c078cb9c |
| SHA1 | 9a3238e70d595a7dde685c5ab5a68553c4f52f4d |
| SHA256 | 62799b30ec5dcbc23d07824a4f6c3a0757890a8ac665f76b5a1f2017efeba538 |
| SHA512 | bd2430e94c21c54a32483d2598d80f70d07425fc0ee4c2db4188e6f69e2f60eef3ccd454d0cb58d4254e1adafcb6f27d6a8240bd73a6594d06017136509d4bcc |
memory/1784-40-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/1900-41-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/1784-42-0x0000000000DF0000-0x0000000001952000-memory.dmp
memory/2340-43-0x000000001BEC0000-0x000000001BED0000-memory.dmp
memory/1784-44-0x000000001C730000-0x000000001C740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 701df65121e1977fdf160bd9cfb9bb6a |
| SHA1 | 5fbbddbad5e0ca509b60134f78188f255bf6b74e |
| SHA256 | 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1 |
| SHA512 | 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607 |
memory/2692-58-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/2432-61-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/2340-62-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/2432-60-0x0000000000150000-0x000000000015E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | b6d968bcb29ad46df246cdb79d87277e |
| SHA1 | a97b741e46073469b136baaaebff9b2acea57d12 |
| SHA256 | 0f09cf2cef0eae2892d28077f7c889f1f8f77a243c5c15b904459f1fcff8df4b |
| SHA512 | e81818bd463b78d5ed9ffc7889fb91879bf25bfebd4fe67ec6d311800b23c4d5abca944328f39d9b71d22c4248d477512606d554fb688446baed958a944759b1 |
memory/2692-70-0x000000001B630000-0x000000001B640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 174b9cff9c8a30ffd0c9f606de004363 |
| SHA1 | 6360618e3dbe567e466311d54d6ed57abb9cb4b8 |
| SHA256 | 5de5a904047e6f79833f0368401d4ae6029ca302590b648ad2fb4656e5cb33d9 |
| SHA512 | a5887a61f88c1ffa2c83dea799879cd12786364f3208215d2ccdbba48ffbfed67bf009fb5ec886fde61d6e9cb9b3bcfe9852d92cd4f9857d59738aa1690e7bee |
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 7daa3f961a7628e7276cfe744028bcf8 |
| SHA1 | 29f57c903a0688bcd7de1315180508a70997ef82 |
| SHA256 | 1fc0dd28085b9dc5b8ebf4600c8276438542f1a45dc82e3ee0a8dfaf51f03999 |
| SHA512 | 6e3e74e330c81adf85d613380623aeb2c2e469b9cd6760e27e40baba776345f7b44571add827bb4224e4e9eb2131b5db0b565bb1f51c69156225f81f3aa515df |
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | ab1bbb41c6c90c3b6d93a9be5e352995 |
| SHA1 | 70cd2de832d76014d7f50ee1a16e89fba701b659 |
| SHA256 | 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45 |
| SHA512 | 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2 |
memory/2444-87-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/2444-89-0x0000000000FE0000-0x0000000001B4E000-memory.dmp
memory/4636-88-0x0000000000A40000-0x0000000000A58000-memory.dmp
memory/1784-86-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/4636-90-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BanderaRAT.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/3320-95-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 04634c11994915b0f2dfe0b456b41e88 |
| SHA1 | dfe1667f56e59fb6b4d08e6c5ea546e9b003e07e |
| SHA256 | dc309cdbd9aa2e2f3bdb8031b5f048c653c51c4ca5623e593ccc920c27249d3f |
| SHA512 | 98cc5b16ae7b102657674d830e2cbee961e10beaa666940334a568de002e5a8fdcc7785c281da0bdfffdb4aafe65defbf015e0814102c60b78260787d8607d1f |
memory/2692-96-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\ProgramData\XClient.exe
| MD5 | 9ecb9d48c8da1e49862a32f5d32e3c9b |
| SHA1 | 20902b0b25916dab87b0a373e6fa28ce26feed49 |
| SHA256 | fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff |
| SHA512 | 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3 |
memory/3852-112-0x0000000000E50000-0x0000000000E60000-memory.dmp
C:\ProgramData\Cheat.exe
| MD5 | a495f7df4cdb2c9febd69c56ff6563bc |
| SHA1 | f95944cab464e1d89b671be7ec345d44e9bf8a03 |
| SHA256 | 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052 |
| SHA512 | 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7 |
memory/2616-114-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | 2bbae248dc2ef0bbe1ee23d019f82a24 |
| SHA1 | a49a23471f72e297e78028f57e87bc447980141c |
| SHA256 | 67212f9ed02c8589ee57d9a09312006729143025bda01ceee79901248a90cea1 |
| SHA512 | 5ab6a611de4737df996977cf1a881d39ea8368660ecb420c0c0ca7f43d613faab470484e3c36547656fedff17069d7b2b1d986aa84b91002376a2cc1bcbc7722 |
memory/3852-127-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/432-128-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/432-131-0x0000000000AB0000-0x0000000000AC6000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | 1bf83ac40194a893ffe79c16ef0c5e6b |
| SHA1 | 2d8edb30e458684e1f70b729e78c3902f2e62baa |
| SHA256 | eecb3d036b27ea46c6d8efb13bc8765cadd85cdd9dfbd8b98121322234293e0a |
| SHA512 | 3a8519f0f4b5764483d55e24c8ad2006bb926068a1b7770fb9d241e1842b39c427d4f78a1cf76664d8f5f09befd8e156adf6726b09badddc5c525028563c3b79 |
C:\ProgramData\Fluxus V7.exe
| MD5 | ede14248746431b41c054887e63102de |
| SHA1 | 4ac8ffe88d3b433211306ba93f96dd0a4ff3df95 |
| SHA256 | a0a97379629123d7383b9753a3fe9756cdca1fa3038f196b9366b65d6875287c |
| SHA512 | bf6afd6262f249fb390ce78bcb4d3286e73c164e7ab0f1e109c95f69aeecad63068f109ae0ee30a7d74b0d0c2cde86bc16d6556439a974b4b692b2bfdab09356 |
C:\ProgramData\Built.exe
| MD5 | 60c292fc051599d68df4a2910aa5c8c6 |
| SHA1 | ff9c0b162fee93e7ef261d63daa17a568272d0df |
| SHA256 | f31dfbb0c332e1f4cb43a6b36454aea878579cccc9403c35c209ea6a972d860d |
| SHA512 | 3880b28eb7786fd01a5694303c91687bf440c3b5751d8f5e4b62296c02e6407a675ff52893e9d1d34eae2db95df08d83c4e0b35f5fed03ce41be83656b2a89c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\python311.dll
| MD5 | 7d430bb838798e40ee8bb710c8d6298c |
| SHA1 | 36fb7999c4046cc6207bead623ed2d4bcf3f9d65 |
| SHA256 | 1ea5e8b0e4c7558830f2ecfbba7efefc4c5a1f0ad4157f7f6eb9b1997e3d0b27 |
| SHA512 | fd0a26ced3e323ab46b9ec8fda06c57213ede50bebcb2070976f6ea6fbecc74b82aaec3654a980d744a375094a219288342ecef3a5083837924a61829f32cb6b |
C:\ProgramData\Fluxus V7.exe
| MD5 | 8e1020fc04e376355fb4418e85b0f5b7 |
| SHA1 | f3909b5368ae2fa8cbc9e79d865165f47da8439e |
| SHA256 | fea4bc5975806b0f9b145faad0ef0b90779b6fd671e51bc571405424fe547f86 |
| SHA512 | a0a65bd937d64d61712de12d2760e3f2bb873d1345b8ba588ae5e5f9e362e6e357e9908b24a69c9fb833f0d501b000cd2f4ce528c75fa4667c2a95b91f2f96e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/548-176-0x00000000004D0000-0x00000000008C4000-memory.dmp
memory/548-175-0x0000000074660000-0x0000000074E10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_ctypes.pyd
| MD5 | ee2d4cd284d6bad4f207195bf5de727f |
| SHA1 | 781344a403bbffa0afb080942cd9459d9b05a348 |
| SHA256 | 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009 |
| SHA512 | a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55 |
memory/2432-199-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_ssl.pyd
| MD5 | 936919f3509b2a913bf9e05723bc7cd2 |
| SHA1 | 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd |
| SHA256 | efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3 |
| SHA512 | 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3 |
memory/4404-201-0x00007FF8BA670000-0x00007FF8BAC5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_sqlite3.pyd
| MD5 | c9d6ffa3798bb5ae9f1b082d66901350 |
| SHA1 | 25724fecf4369447e77283ece810def499318086 |
| SHA256 | 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec |
| SHA512 | 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448 |
memory/3320-202-0x0000000001870000-0x0000000001880000-memory.dmp
memory/548-206-0x0000000005350000-0x0000000005360000-memory.dmp
memory/4636-211-0x000000001B6E0000-0x000000001B6F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 323317091f94f2844e04d8da04084cba |
| SHA1 | 5fabe31432f94270baf1c0d3c00bff9eb2801e4f |
| SHA256 | cf6cd0cfd56eec5dfc1e25fc9afea9f50393df6af4cad79e2915550399c60723 |
| SHA512 | e49fc22f778151304ffef85f6f65bb60f23e9e4cc227f05fe0035b88d7207d9ef9c8258b9354eb38c0e845a7f13dfe3f2e06b92f99624eb41b92fa472261c3f5 |
memory/4636-213-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ssbobr2.0.exe.log
| MD5 | fff5cbccb6b31b40f834b8f4778a779a |
| SHA1 | 899ed0377e89f1ed434cfeecc5bc0163ebdf0454 |
| SHA256 | b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76 |
| SHA512 | 1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\sqlite3.dll
| MD5 | 2cb8ae91e1046cf45318f762e8f5c015 |
| SHA1 | 5efe6d27cd1c5384ae8ec404e172bd944e25e122 |
| SHA256 | 701aba7653b18179dd6c426c017fc878c45b54995ae40cd17e5575b25f1e582e |
| SHA512 | 41086d3480ad7f6aebf53b5239823749eb65da065a372f644ecc2959902a62ce3379ab1ee236633e946346eac345c8e552aba92882a2eb445abca8875b7a0700 |
memory/548-224-0x0000000005600000-0x0000000005692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\select.pyd
| MD5 | 2398a631bae547d1d33e91335e6d210b |
| SHA1 | f1f10f901da76323d68a4c9b57f5edfd3baf30f5 |
| SHA256 | 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435 |
| SHA512 | 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21 |
memory/4404-231-0x00007FF8BCC20000-0x00007FF8BCC43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\libcrypto-3.dll
| MD5 | fd92b9d37fff31a291044bd84c7bc714 |
| SHA1 | a34e4fcd9b970cc8e09f3ba5dcd468636978f598 |
| SHA256 | 8111c1d1b9d09f48d9478ca7ff740bcee5c01d2d962cd5160fea695c0a6b778d |
| SHA512 | c1d381adbbc7b5d47aef69b443e953533b7646869e9a50db00b92da0485bd8bcafd61b0dbd7509efcfb1a1b9daa99c54b942dd34f09b688d8730888f289f863f |
memory/2128-235-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\libcrypto-3.dll
| MD5 | 355e9280448afe960aba0a413983518c |
| SHA1 | 6381b80dd4f9770637074ce2d9fc1728e188afd2 |
| SHA256 | b22ebdc6fd712122532e8f2debed4ec1079b6488acd95f215e4c57ed5b97299d |
| SHA512 | ccf664ecb1e801ae6259f3f813c55dec957de7639572ab4e5028f652a5b620c84495a764debaacfe497c2d13dded63192efcf04cb708cd52017a08609f55ab9f |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\libssl-3.dll
| MD5 | 6eda5a055b164e5e798429dcd94f5b88 |
| SHA1 | 2c5494379d1efe6b0a101801e09f10a7cb82dbe9 |
| SHA256 | 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8 |
| SHA512 | 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e |
memory/548-228-0x0000000005350000-0x0000000005360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_socket.pyd
| MD5 | 3ea95c5c76ea27ca44b7a55f6cfdcf53 |
| SHA1 | aace156795cfb6f418b6a68a254bb4adfc2afc56 |
| SHA256 | 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923 |
| SHA512 | 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0 |
memory/4036-226-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/3320-222-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_bz2.pyd
| MD5 | 341a6188f375c6702de4f9d0e1de8c08 |
| SHA1 | 204a508ca6a13eb030ed7953595e9b79b9b9ba3b |
| SHA256 | 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e |
| SHA512 | 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_lzma.pyd
| MD5 | 5eee7d45b8d89c291965a153d86592ee |
| SHA1 | 93562dcdb10bd93433c7275d991681b299f45660 |
| SHA256 | 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9 |
| SHA512 | 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e |
memory/2616-209-0x000000001CBF0000-0x000000001CC00000-memory.dmp
memory/2616-208-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/4404-207-0x00007FF8CE9B0000-0x00007FF8CE9D4000-memory.dmp
memory/432-205-0x0000000005350000-0x0000000005360000-memory.dmp
memory/4404-204-0x00007FF8CF500000-0x00007FF8CF50F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_queue.pyd
| MD5 | 8b3ba5fb207d27eb3632486b936396a3 |
| SHA1 | 5ad45b469041d88ec7fd277d84b1e2093ec7f93e |
| SHA256 | 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051 |
| SHA512 | 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_hashlib.pyd
| MD5 | 6d2132108825afd85763fc3b8f612b11 |
| SHA1 | af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0 |
| SHA256 | aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52 |
| SHA512 | 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\_decimal.pyd
| MD5 | 918e513c376a52a1046c4d4aee87042d |
| SHA1 | d54edc813f56c17700252f487ef978bde1e7f7e1 |
| SHA256 | f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29 |
| SHA512 | ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\unicodedata.pyd
| MD5 | 6279c26d085d1b2efd53e9c3e74d0285 |
| SHA1 | bd0d274fb9502406b6b9a5756760b78919fa2518 |
| SHA256 | 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6 |
| SHA512 | 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\sqlite3.dll
| MD5 | cc9d1869f9305b5a695fc5e76bd57b72 |
| SHA1 | c6a28791035e7e10cfae0ab51e9a5a8328ea55c1 |
| SHA256 | 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee |
| SHA512 | e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\libcrypto-3.dll
| MD5 | 27515b5bb912701abb4dfad186b1da1f |
| SHA1 | 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411 |
| SHA256 | fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a |
| SHA512 | 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\blank.aes
| MD5 | 291948ee8e8927f3a74e829695ff9b43 |
| SHA1 | 2d28ac4941f4095b8ac4340e4b626af45da15625 |
| SHA256 | 035ba985560ab044aa1c4c413dc1b5706031a6143cd38606e57b5da145aaac6a |
| SHA512 | 924ec1ba39ef26332855871222945b5d5197a7782387175e764558ec410f1f0dab9f8479575e582479e645c3af23d9264141b61846458489e335d308d6024906 |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI24522\base_library.zip
| MD5 | 9d84222015f5e2d8afb5ec74d6808ad0 |
| SHA1 | 38f7c2439e7829cbd2837be1f8b0380ce5c8e444 |
| SHA256 | 20adf37360e803029eb7f0a99ec882f277765193f6d4bed683a391c06959581f |
| SHA512 | 5939f286d47d8ad459521042781d666ff4f99a7b1e4c5747f32f4b3604abca9171fa777ea6453f2e169a4c62931d960b231894fa8faaae0e531c0f232a30e906 |
memory/2444-174-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24522\python311.dll
| MD5 | 76eb1ad615ba6600ce747bf1acde6679 |
| SHA1 | d3e1318077217372653be3947635b93df68156a4 |
| SHA256 | 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1 |
| SHA512 | 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb |
C:\ProgramData\Fluxus V7.exe
| MD5 | b4f9cbca656fd34c4dbb1d706a7f1ad3 |
| SHA1 | 2b95d88a80ccb619b581c420f7435c660cfbb28e |
| SHA256 | 1e022d3886700317e5c41977de8fd595db5fbb3529164048ed09ee7efdb5711d |
| SHA512 | 5ed86eaf8ae42d9a8f0dca9776e25b3c2232434b32088df7feaa8149886594f1d4b1e37c597597eacebdb4082e0263441a6b78def5eef2ad610a6875c28fe969 |
memory/432-165-0x00000000059D0000-0x0000000005F74000-memory.dmp
memory/2432-144-0x0000000000B70000-0x0000000000B80000-memory.dmp
memory/432-143-0x0000000005380000-0x000000000541C000-memory.dmp
C:\ProgramData\Built.exe
| MD5 | 04ca27b4b2b0899e09624b75fa0dcc72 |
| SHA1 | 76e509a69f116ecb48f09ef4c414094e85609937 |
| SHA256 | 433cf7869e2ae961a7f2e905a4e3f5f34a3e3f61016ddde2454d4ef62612b9dc |
| SHA512 | e7a8bfde4507364a7a93d250a0f07c97edb3db4d8f34f5a87fa1a237fa8de9156cefe336a94328e356c9e08c0cbfbf5e9c1ee1496960c9a4d685b0c39901f86c |
memory/4404-236-0x00007FF8BCAA0000-0x00007FF8BCC16000-memory.dmp
memory/4404-239-0x00007FF8BA140000-0x00007FF8BA662000-memory.dmp
memory/548-240-0x0000000009DF0000-0x0000000009DF8000-memory.dmp
memory/548-242-0x0000000009E40000-0x0000000009E4E000-memory.dmp
memory/548-241-0x0000000009E80000-0x0000000009EB8000-memory.dmp
memory/4404-237-0x00007FF8BCA60000-0x00007FF8BCA93000-memory.dmp
memory/4404-245-0x00007FF8CE9B0000-0x00007FF8CE9D4000-memory.dmp
memory/4404-244-0x00007FF8BA670000-0x00007FF8BAC5E000-memory.dmp
memory/548-247-0x000000000B470000-0x000000000BA98000-memory.dmp
memory/4404-249-0x00007FF8CF2C0000-0x00007FF8CF2D9000-memory.dmp
memory/4036-250-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/4404-248-0x00007FF8BFE00000-0x00007FF8BFE2D000-memory.dmp
memory/4404-254-0x00007FF8CF080000-0x00007FF8CF099000-memory.dmp
memory/4404-256-0x00007FF8CEB50000-0x00007FF8CEB5D000-memory.dmp
memory/4404-260-0x00007FF8BC990000-0x00007FF8BCA5D000-memory.dmp
memory/4404-262-0x00007FF8CCB90000-0x00007FF8CCBA4000-memory.dmp
memory/4404-264-0x00007FF8CE9A0000-0x00007FF8CE9AD000-memory.dmp
memory/2128-268-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/432-269-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/4436-267-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/4404-265-0x00007FF8BC870000-0x00007FF8BC98C000-memory.dmp
memory/540-270-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/2068-271-0x00007FF8BE3C0000-0x00007FF8BEE81000-memory.dmp
memory/3900-272-0x00000240EF9A0000-0x00000240EF9B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrexcwme.usg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4404-303-0x00007FF8BA670000-0x00007FF8BAC5E000-memory.dmp
memory/4404-304-0x00007FF8CE9B0000-0x00007FF8CE9D4000-memory.dmp
memory/4404-305-0x00007FF8CF500000-0x00007FF8CF50F000-memory.dmp
memory/4404-306-0x00007FF8BFE00000-0x00007FF8BFE2D000-memory.dmp
memory/4404-307-0x00007FF8CF2C0000-0x00007FF8CF2D9000-memory.dmp
memory/4404-308-0x00007FF8BCC20000-0x00007FF8BCC43000-memory.dmp
memory/4404-310-0x00007FF8BCAA0000-0x00007FF8BCC16000-memory.dmp
memory/4404-314-0x00007FF8CEB50000-0x00007FF8CEB5D000-memory.dmp
memory/4404-312-0x00007FF8CF080000-0x00007FF8CF099000-memory.dmp
memory/4404-317-0x00007FF8BCA60000-0x00007FF8BCA93000-memory.dmp
memory/4404-319-0x00007FF8BC990000-0x00007FF8BCA5D000-memory.dmp
memory/4404-321-0x00007FF8BA140000-0x00007FF8BA662000-memory.dmp
memory/4404-323-0x00007FF8CCB90000-0x00007FF8CCBA4000-memory.dmp
memory/4404-326-0x00007FF8BC870000-0x00007FF8BC98C000-memory.dmp
memory/4404-325-0x00007FF8CE9A0000-0x00007FF8CE9AD000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\MetroFramework.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.202:80 | tcp | |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| GB | 96.17.178.179:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
161s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1652 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1652 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1652 wrote to memory of 2460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 214.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240220-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\MetroFramework.dll,#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DEC.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DET.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:48
Platform
win10v2004-20240226-en
Max time kernel
216s
Max time network
260s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\FM.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:48
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
201s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\LimeRAT.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 2004 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2856 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2856 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2856 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2588 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 3040 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DEC.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DEC.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DEC.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ebcd880e3fa4f4b8e6efd992fff5a557 |
| SHA1 | 9b2dc67a007ca1b644cac63587b4c0015d3dd483 |
| SHA256 | 9d2a2fc42b812611b6f1a0bc6375478b718ee892cc2fe2d63a5bf0fc6328590b |
| SHA512 | 0d182d30bc661e99df62d86c9cf89a63dac03c0799496a32a28efb38568d2dba73bf9ee42edd14aa44d4d5c726fd0266e1b62f9dc135b3a75ddbb556ecb55b18 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 2164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2224 wrote to memory of 2164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2224 wrote to memory of 2164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2164 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2164 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2164 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2164 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\FM.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\FM.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\FM.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8a5fcb81c09077ab149d21eec28ad9ba |
| SHA1 | 5851dbd8b395c8f97dc97f46b1c5a23005768f04 |
| SHA256 | 4c7f6eb69d7b7b708f2ea178b346fe5a40b82711d77d3a6b227ebe663576e579 |
| SHA512 | 89995420db569502f3ed530a402f1312fd57864a73cba93982046dbd02fcb7127c75b4c1a08c19fd3cf4284d51ed546ecd6cdcef29715a9e7c517a37653cc048 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
191s
Max time network
200s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
njRAT/Bladabindi
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.url | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchоst = "C:\\ProgramData\\svchоst.exe" | C:\ProgramData\XClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svchost\\$77svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Windows.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\Fluxus V7.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sisk.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Dеbug\BandeeraRAT By Donbas.exe
"C:\Users\Admin\AppData\Local\Temp\Dеbug\BandeeraRAT By Donbas.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe"
C:\Users\Admin\AppData\Local\Temp\sisk.exe
"C:\Users\Admin\AppData\Local\Temp\sisk.exe"
C:\ProgramData\XClient.exe
"C:\ProgramData\XClient.exe"
C:\ProgramData\Cheat.exe
"C:\ProgramData\Cheat.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\ProgramData\Fluxus V7.exe
"C:\ProgramData\Fluxus V7.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\ProgramData\Built.exe
"C:\ProgramData\Built.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchоst" /tr "C:\ProgramData\svchоst.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svchost\$77svchost.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "ssbobr2.0.exe" /TR "C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe \"\ssbobr2.0.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN ssbobr2.0.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sisk.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sisk.exe'
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1072
C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\ProgramData\Cheat.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6FF2.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\svchost\$77svchost.exe
"C:\Users\Admin\svchost\$77svchost.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {81407107-D6A5-4EDE-BEF6-FB9A4D3F3142} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
C:\ProgramData\svchоst.exe
C:\ProgramData\svchоst.exe
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe"
C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
"C:\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | epsilonbot.xyz | udp |
| US | 8.8.8.8:53 | greater-questionnaire.gl.at.ply.gg | udp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | stories-boulevard.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | stories-boulevard.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:35608 | tcp | |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 8.8.8.8:53 | points-detect.gl.at.ply.gg | udp |
| US | 147.185.221.18:35608 | points-detect.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 8.8.8.8:53 | artist-shared.gl.at.ply.gg | udp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| US | 147.185.221.18:35608 | artist-shared.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:34511 | tcp | |
| US | 147.185.221.17:5562 | greater-questionnaire.gl.at.ply.gg | tcp |
| US | 147.185.221.18:34511 | artist-shared.gl.at.ply.gg | tcp |
Files
memory/2708-0-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2708-1-0x00000000009E0000-0x000000000186A000-memory.dmp
memory/2708-2-0x000000001BA50000-0x000000001BAD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b999717daef626476c4b8b09f0f7c29c |
| SHA1 | 9366509bc10e0ba6d199519f64169567576d8670 |
| SHA256 | 4a70e860435501a11e2b55cb8ca4bd4d5917f3709def7e6f59ecdf5885e4a96c |
| SHA512 | ac28d486fdb4fbf32f3031196047ac49c070ac60032528e90a50a6ea048495dc84065364908bfa131264bdd554882b7756057334672e2280ed384ccc15d202dd |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 4a0a39d8bf6c93b4cb02348205832989 |
| SHA1 | 92b663f4f9bf0cedb15c631a98c5efb55e55dd01 |
| SHA256 | 22f19b21f1cb448f1c61399069ffc9708fb131f9fd236d8346d610003b991d58 |
| SHA512 | cc4f07e9d2cb97e272827f0c1fbeb3989c570ad9820a0d399f39898c7333248a9ada74163744bc7565b0a0d7dc73810b2543bf4ffdab46a67adc6d0370e9916d |
memory/2040-8-0x0000000001210000-0x000000000152E000-memory.dmp
memory/2040-11-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxus_V8.exe
| MD5 | 09fdabdb829334cc82d5bc2f5c49258f |
| SHA1 | 99dad6fd3061d1ea610f12ed1e4295a5e0e6ddb1 |
| SHA256 | 93cab95ebfdd6049c85e76f56ffde35fd5416d7739ce5743ad3a10e5d22fc18d |
| SHA512 | 3375dac69423a91fc37adf67e0bfa1f80fafc068a78955341a2a02d7f64c5f8ce096d1d419ed951eac86da2cd6951eca00e8ba09fe7798871c598bfc77603e9d |
memory/2612-15-0x0000000000E10000-0x0000000001972000-memory.dmp
memory/2708-16-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2612-17-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2708-18-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2040-19-0x000000001B5B0000-0x000000001B630000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 8b66a8d32d363d32953dddd62e80ca21 |
| SHA1 | 12ded8178e85560234eeb13e43999f7c7ee43703 |
| SHA256 | 27f82ec5a026b0208cdba8783f02a46ff69610720d99b28dd7c6a2bf470eac66 |
| SHA512 | c651471808582761aefd49217836cfc566ecba130e24fed986bd8f29eb9d200693e136c84d84b92983d9d9d3a73cc433e94afe726706c9e49f9fb39deff083f0 |
\Users\Admin\AppData\Local\Temp\ssbobr2.0.exe
| MD5 | 701df65121e1977fdf160bd9cfb9bb6a |
| SHA1 | 5fbbddbad5e0ca509b60134f78188f255bf6b74e |
| SHA256 | 3723e482205265aab379471320d8ed825c04a106fd15881e5f09e6e25fc4e5f1 |
| SHA512 | 2b15ab4a089bcf1f62cb0172f1674756016f54e07547b5038ba10975aaf6dde920d2a18d254245b4a4f2715b32040086a00b1cacc1bcf4cc1dc5a512feaa9607 |
memory/1912-28-0x000000013FE10000-0x000000013FE1E000-memory.dmp
memory/2532-25-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1912-29-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2612-30-0x000000001BDD0000-0x000000001BE50000-memory.dmp
memory/2040-31-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | f48091811d7871c6e9442d5a27adca0e |
| SHA1 | a57b9fe0d63319b24dc716429d5ac0e1b24fe695 |
| SHA256 | 52152469ba6f6e844568db8fa5a3d5fc982c2b5f0b6277f223bc38a426422612 |
| SHA512 | e2677264e4eadefc1e0ae1f708b95f20e764b8dca326635ad4ec55f0b751a13dff89732452b3bca51287d3e3854a35e53e8220dbaee2ec9c2126a66a69b9b988 |
memory/2532-34-0x0000000001070000-0x00000000010F0000-memory.dmp
memory/1140-39-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/680-37-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2532-40-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | b869e32cdac575ca23d73e7f9f046e6b |
| SHA1 | 2bc4ce47bb37e3ffb4faabc1015d2608a8fa96c1 |
| SHA256 | 4dc95e267ff2a5054ca354035113f16be23c06e374343b6db43b5a084b71b8e3 |
| SHA512 | d6913b3460d947043313d65458768d2fb5bb24d38da236ca88a00f61f63829e164681a22c41c3780e25001827a7219eac73b47dc26eed5ad46705c0b079c7e80 |
memory/680-41-0x000000001B670000-0x000000001B6F0000-memory.dmp
memory/2736-45-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2612-46-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2616-47-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1912-48-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2612-49-0x000000001BDD0000-0x000000001BE50000-memory.dmp
memory/680-50-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1912-51-0x0000000000630000-0x00000000006B0000-memory.dmp
memory/1140-52-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2736-53-0x0000000000D70000-0x0000000000DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 04634c11994915b0f2dfe0b456b41e88 |
| SHA1 | dfe1667f56e59fb6b4d08e6c5ea546e9b003e07e |
| SHA256 | dc309cdbd9aa2e2f3bdb8031b5f048c653c51c4ca5623e593ccc920c27249d3f |
| SHA512 | 98cc5b16ae7b102657674d830e2cbee961e10beaa666940334a568de002e5a8fdcc7785c281da0bdfffdb4aafe65defbf015e0814102c60b78260787d8607d1f |
memory/2736-57-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 2083ed7316e1e2545a21538f118a5919 |
| SHA1 | e7f971e35615bc6ee42608b8ab8f01066b08573f |
| SHA256 | 0823c3cc38f774d50e6d231e3c57caddbacfcb17eefac508148b6641942cc1f2 |
| SHA512 | bef5961814bdee595978cd5b15baf012f2085138884ce02cff242c8823fa37436b193dd10377a104f2120d8e9d7d8fd886b1e5138db6b150eb488bb7dfe2b88a |
C:\Users\Admin\AppData\Local\Temp\Fluxsus_V8.exe
| MD5 | 6d0325134f453f5af7ceaefb3535a635 |
| SHA1 | de07952ddaf4bf80082c3e3bec6fac4ae6e1f02d |
| SHA256 | d3e1db0b6d002673223a314fcb317982e1154f60d47d4c17e58fb914905b802c |
| SHA512 | 860e64a6702de50330f3d35317bf7ecbbc77a16b3d7b9094f10caeda60acdeb54f18b9df2ce261e81d59daf3b3adced0585e38f274613bd75eee3c39f0a1676f |
memory/2120-63-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1992-64-0x00000000001B0000-0x0000000000D1E000-memory.dmp
memory/2736-67-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\ProgramData\XClient.exe
| MD5 | 9ecb9d48c8da1e49862a32f5d32e3c9b |
| SHA1 | 20902b0b25916dab87b0a373e6fa28ce26feed49 |
| SHA256 | fb2089afae7b75b4bfe6780786cd723a7ef09a22ac3b8701b31c3989de41e7ff |
| SHA512 | 3dfd281d6989c8a4e9c19c35cb5581821854dfe5719e58e59b4ab7955e272e108e626fa9a7bd6c0fa0ab9d596176ff008c157fa8908959da321cb921dd70cae3 |
memory/2616-65-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sisk.exe
| MD5 | ab1bbb41c6c90c3b6d93a9be5e352995 |
| SHA1 | 70cd2de832d76014d7f50ee1a16e89fba701b659 |
| SHA256 | 1bf82ca4dd37e2b8f28b458da35a1e76059d65999a4bc480f4c245544c963c45 |
| SHA512 | 77b8aa1baafc4301e563fd6298ebc7785803f6894e12deb52887424a8ad8bf6f907c0297da7ed4cfd58fc151d5507d6164fb2bd2644c6cd71e84a6ca765d57a2 |
memory/3020-80-0x0000000000E90000-0x0000000000EA8000-memory.dmp
memory/2612-85-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2036-82-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1992-89-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
\ProgramData\Built.exe
| MD5 | 1b4a2a0b192f516acfa5115d34cb6190 |
| SHA1 | 4abf9009ddb2befc0e5e327706d2ebb8bb9602be |
| SHA256 | 4c5598794619dcf88209f97b06deedcd6a8223c78d51ed29ea7895a77a6a6d68 |
| SHA512 | 6ed17407beaaceb2c3daef1aac4c6cd7aa1bc8a1fa255ec47a60a6789289d91a24981953862acad4b827aa05aa944f527479c30173b4f2b03c02ff6853afc909 |
memory/1988-86-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\ProgramData\Fluxus V7.exe
| MD5 | 1cc6a349d63aa5339e46394c5a9f96d7 |
| SHA1 | 5b5456bd6e029575f6617266c425d2600ad2fed7 |
| SHA256 | e606547dc990d50af0511acf80802c50ef673a10f88a2a84e8a7155b812a2e1a |
| SHA512 | a4f69c52ed9b79f6cc5218fcbcdbcdfb0add6c8eec69ac4e4906ffb32a9ac34ca109ff9b5ea33687304bc288fa16a4167da507a1bb89d2466b687f3460367ef5 |
memory/292-131-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1140-133-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2120-134-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1912-140-0x0000000000630000-0x00000000006B0000-memory.dmp
memory/3036-145-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\ProgramData\Fluxus V7.exe
| MD5 | 58b65164b575ae28b5fc3188535be89a |
| SHA1 | 58174589173dbffc1c98832b9189a318d677ee09 |
| SHA256 | c90714c9e0a6804b82d5066255bd2faba2a2a37069d42bc3a04c0032a7ae2e93 |
| SHA512 | 53b7d93502475ac31467f271747877a6bcab5d5f95c5bcae4e1813cbdae1572ddddf11689d4896d314dd9504c9b62294613a7de0a1030e33631bd8f17bccced0 |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 65c8c9db5e0dd8df82de4f1dca812d9a |
| SHA1 | aca2a440a5a2817754d5deb43a382635e5e4406b |
| SHA256 | ae7ad2639b340e3072277cfe63785d1adfea29c7d0a1628a3e438cadcfe5dfec |
| SHA512 | 59d0ae5d5cec4c96d06d9c6e03c82bffbb999df3b2fe1e2db3e16a3810634d6570373265b4104b7cb4b368c01c0a842b48b674412cdc9cc07093c7b63eb4c2e7 |
\ProgramData\Built.exe
| MD5 | e7cecffe4cc891b4f4b3dad5eb2b9616 |
| SHA1 | 32454d30378d1a965d17e42bd1120e3a3ffe042d |
| SHA256 | 47a9389e8a33cc970c147e3ab484e1046c9fd2075254b12958587b2e3eef39aa |
| SHA512 | 297a1847072792f97802a177e7cd37b1bb7418c28aaed792ed9e855c4653b52df7a3fc851617eea42f5137a334b36c4ebd9ce4d91895ca3d2c9b89254dbbfe08 |
memory/752-148-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2036-146-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\ProgramData\Cheat.exe
| MD5 | a495f7df4cdb2c9febd69c56ff6563bc |
| SHA1 | f95944cab464e1d89b671be7ec345d44e9bf8a03 |
| SHA256 | 5779c0b0351a6ecc3a65d5f979858f930c9a63fa907cea2082a0de2af6393052 |
| SHA512 | 74c38d45af559f5a30d22b2525b5c45becbf512afd828aed0604554e9c6c13b1b587dd88a035be02f9c6d319d4a0f894597de67024902049b00580f3e984f1e7 |
memory/2976-141-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2036-137-0x000000001BF50000-0x000000001BFD0000-memory.dmp
memory/2616-136-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/752-135-0x000000001B560000-0x000000001B5E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 275222a2cbba273ea4ea96daa4e781d5 |
| SHA1 | d8dc2525122850baab03a39167e4d36b5e112b37 |
| SHA256 | cdc8ad73cf1ec263e1bdd5a4c83855d39f5f076b566bfca1c8c73792c54053cf |
| SHA512 | d3c37af85aff4e8c50bfdf8711b85ddf66430f9ce55e1d261e40eb6aefbb15f79001fef6aaef78c87f5c9829f69541a597dd20b26e40b43b0515d69862287828 |
memory/1992-130-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/752-128-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/2216-127-0x000007FEF1B00000-0x000007FEF20EE000-memory.dmp
memory/2120-98-0x000000001B550000-0x000000001B5D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI28642\python311.dll
| MD5 | 76eb1ad615ba6600ce747bf1acde6679 |
| SHA1 | d3e1318077217372653be3947635b93df68156a4 |
| SHA256 | 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1 |
| SHA512 | 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb |
C:\ProgramData\Built.exe
| MD5 | 022c90d2b607ce098df042969f1ff10c |
| SHA1 | ba9e320d766bc4e131c51c115275dc0efe2b8df6 |
| SHA256 | 60e2391c0b640cbed4d5773ad9d65a54dd07e03afa18d410ef8b08d90a2a3b07 |
| SHA512 | 84cbcc875dd977d8b319fa68a472bf6ec3b7f923e43ab10fd88102bc02f46180820e427416bb5a95da57302b151703df298b9eb9c37ac93e98da0e181a7a5f31 |
memory/2616-93-0x000000001BD40000-0x000000001BDC0000-memory.dmp
memory/3020-92-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/3020-149-0x0000000000B30000-0x0000000000BB0000-memory.dmp
memory/1988-77-0x0000000001010000-0x0000000001020000-memory.dmp
memory/2500-159-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | 7940390ba263f17266178095fe2781f6 |
| SHA1 | 7ccb95e2b9afbe194a7666642f189417539c69bb |
| SHA256 | 04c63c33451b32d8f1ed446a4b5394a20e4f60509c7bac0e7d3698e933a9daf6 |
| SHA512 | d24ac53e7d33390e70f360672c2a5b56817729324cd896d033aedf846c813bcd77bdb51fad8f7f27fa780b8cf642952380efe48012981b0d7b48b4de470dc3b6 |
memory/292-154-0x000000001AF00000-0x000000001AF80000-memory.dmp
memory/2976-153-0x000000001BBF0000-0x000000001BC70000-memory.dmp
memory/3036-152-0x000000001B580000-0x000000001B600000-memory.dmp
memory/3020-151-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
memory/1988-150-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BanderaRAT.exe
| MD5 | fcda8924766bc4a566a52124882045db |
| SHA1 | 1ede746f645ed2332ff99e581f8a4c6516daa1a5 |
| SHA256 | 3ed8b852da64b6e6b83161a797ce3b12d72f67f16d0f49d28c4490d95826d43a |
| SHA512 | f85333c87903e4e8bdd3ee8edc60ee15fd74379d04ee5f73065236f21509fd11ed05edb1edb40c43987fd33ac18518c57d51b67af6da288c4d123dfe5dbd6233 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H6X2LH8FSKNC3N7AF2D2.temp
| MD5 | c5cfa007ecd671ce9874c5ed3ef0b4fa |
| SHA1 | 1db862fe70a75a8a246a058b8437569bca3124c6 |
| SHA256 | 5b11de6cbe3928f08a83c2bcefe6fd93c376bd090646c5e716d173e4915db617 |
| SHA512 | 4f8139d4634d9010f13b37323aa553fadd3d0e491cb5578f296dc453daed0768a40719707b4d2d82687c2d43651954960b7951da58df1f26bc94e79eabf62975 |
C:\Users\Admin\AppData\Local\Temp\tmp6FF2.tmp.bat
| MD5 | 5e03f3075b71e593bf37ea34ec16eed4 |
| SHA1 | d400518ab1417a878ac1325e2d5b2bd655ccc9ca |
| SHA256 | 2807de32a3023defb7eb77b0937d748704c48f271d844392e3c855692ac016fc |
| SHA512 | f9d16ed47140ee52c79d9af61dbc7b7f2a52074236827c0bb235bd4cd5508738305a877088f4309436d0243c0ae28916e12d00be767559a219e7e708aa1b78ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar7E99.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dеbug\MetroFramework.Fonts.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:47
Platform
win7-20240221-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dat_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dat_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.dat\ = "dat_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dat_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dat_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\dat_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.dat | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3056 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3056 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3056 wrote to memory of 2588 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2588 wrote to memory of 2556 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\GeoIP.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\GeoIP.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\GeoIP.dat"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d1c324f2d2cc818cbf3e574dd17e5faa |
| SHA1 | 3e3151311bdff7ceb7f77cebd82cdcb313711071 |
| SHA256 | 3df3af9fc733c7f5c17c92e52686302837ac313d184911ef83f91a689fad3bcb |
| SHA512 | 513c55c61c4a7b906bfa9d20649c7cce48a26063737045bd1f96fdf4f21bba85c70b4ed510d993213170dab004198b185c72fe08abb09cb8a76039a748ce9f61 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:48
Platform
win10v2004-20240226-en
Max time kernel
173s
Max time network
221s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\CRYP.pdb
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 16.43.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-05 12:43
Reported
2024-03-05 12:46
Platform
win7-20240215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.pdb | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pdb_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pdb_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pdb_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pdb_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.pdb\ = "pdb_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pdb_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 2172 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1204 wrote to memory of 2172 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1204 wrote to memory of 2172 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2172 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2172 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2172 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2172 wrote to memory of 2656 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.pdb
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.pdb
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dеbug\Misc\Plugins\DDOS.pdb"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 47c1f5b0d64e97963e84412f0a8fd3e1 |
| SHA1 | 3d4060fee69cebdf499d4f7c18e760a890890751 |
| SHA256 | 74bc67d6f2eb5041329bfdee5e6d6d5ab09ce0a3e735dc8eb9d3c3bf79059562 |
| SHA512 | 12b025b541e3e0242fb1421abfd996cf34deb8c9302ed17cb3f54cff4f54dd8ad192219e1407b40d928cd4c1d5bb918f1ce3dd89c5880ffbea1c0850e0ceb67a |