Analysis Overview
SHA256
53ba48a952c4fe5731cc72d46ad812a5361912d6ba7e814d514080084b98d1f6
Threat Level: Known bad
The file Caffeine AIO V6.4.exe was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Hide Artifacts: Hidden Window
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-28 22:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-28 22:51
Reported
2024-08-28 22:53
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\Caffeine AIO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe | N/A |
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4.exe
"C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe
"C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\Caffeine AIO.exe
"C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "title Running AIO... ^[Free^] "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "title Staring... ^[Free^] "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "title Downloading last version... ^[Free^] "
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\vthqtiyw.inf
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | proxy-cheap.blogspot.com | udp |
| GB | 142.250.200.33:443 | proxy-cheap.blogspot.com | tcp |
| GB | 142.250.200.33:443 | proxy-cheap.blogspot.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 33.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs214n167.userstorage.mega.co.nz | udp |
| ES | 185.206.27.77:80 | gfs214n167.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 15.125.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.27.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | acpanel.hackcrack.io | udp |
| US | 147.124.205.158:16164 | acpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 147.124.205.158:16164 | acpanel.hackcrack.io | tcp |
| US | 147.124.205.158:16164 | acpanel.hackcrack.io | tcp |
Files
memory/2772-0-0x00007FFE220B3000-0x00007FFE220B5000-memory.dmp
memory/2772-1-0x0000000000AE0000-0x0000000001BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | be11c92a7f9006e22ad6b5db6dc54c10 |
| SHA1 | 280bfbe912072b6e7465f3cb55b660f85a95cce4 |
| SHA256 | b223c55891d3e70c0330e4653b6ae5f4ac0f6484b14b96bd5996bd2c92a4a407 |
| SHA512 | d255a77f333a24da3d1ef18610d5c46e9cf5119334da62316e6e38348dc823ed3b6ee7a3740b1285a13afe645706e0091abe3ff869fa2d6bc665de0a8ad9b4ae |
memory/4508-14-0x0000000000170000-0x00000000001E8000-memory.dmp
memory/4508-21-0x00000000022B0000-0x00000000022DA000-memory.dmp
memory/4508-20-0x00007FFE220B0000-0x00007FFE22B71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe
| MD5 | c8519412e5cdb85b6c4aa4d83cb81102 |
| SHA1 | 6501f176264e97b0a17da3210e5c4697b340df4c |
| SHA256 | f700801ecc59f7f02af57adcf51989f08dac198e041437ccdfd3c09e1da2bda7 |
| SHA512 | 91d45ff15701344ea3b52c98d356882a7780e1a2330e726259feb9e47a16578d46f88af4c8b70d0f63aa1ed4144e25b935e53ea7f453bf284432433a6964163f |
memory/1116-27-0x00007FFE220B0000-0x00007FFE22B71000-memory.dmp
memory/4508-29-0x00007FFE220B0000-0x00007FFE22B71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 605d3781d3ed4a3729f9e2acfad3e8af |
| SHA1 | 818e82d948c838af9e897987947d597405c8980f |
| SHA256 | eb25d9af5566e4016fdac1b2c854fc13271c55498542c0b7158b1a6c947317b1 |
| SHA512 | 36c2fa37e7825819efe75c14518b6ad8d1f64baa7aae4dc46cebc8651265e7c1a00173efa71248960a2f8dc540ba1f0dc40164d3ee0ba5d5ad0ee51caf476b19 |
memory/4508-41-0x00007FFE220B0000-0x00007FFE22B71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log
| MD5 | 3982d6d16fd43ae609fd495bb33433a2 |
| SHA1 | 6c33cd681fdfd9a844a3128602455a768e348765 |
| SHA256 | 9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9 |
| SHA512 | 4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa |
memory/2816-40-0x000000001AEC0000-0x000000001AEC8000-memory.dmp
memory/1116-44-0x00007FFE220B0000-0x00007FFE22B71000-memory.dmp
memory/2816-39-0x0000000000520000-0x0000000000578000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\Caffeine AIO.exe
| MD5 | 64cee0725f4190838259cbeeec00db38 |
| SHA1 | 2280e6b01e1285b1ea18e86b0c40e0ef706c20eb |
| SHA256 | 5445cef5ba425b3a96bb4ae83b24d11337b59eb0f83b70ed00aba60a2f171a62 |
| SHA512 | d0caa84efc5e133af3f9454e274315f68420799efc7d76d29932103410171edcd620e983620cdb4e35d2117d880fe41856ea2b366eaaa4284e7fda08b56a4591 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\python311.dll
| MD5 | 5a5dd7cad8028097842b0afef45bfbcf |
| SHA1 | e247a2e460687c607253949c52ae2801ff35dc4a |
| SHA256 | a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce |
| SHA512 | e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\VCRUNTIME140.dll
| MD5 | 4585a96cc4eef6aafd5e27ea09147dc6 |
| SHA1 | 489cfff1b19abbec98fda26ac8958005e88dd0cb |
| SHA256 | a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736 |
| SHA512 | d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_ctypes.pyd
| MD5 | bd36f7d64660d120c6fb98c8f536d369 |
| SHA1 | 6829c9ce6091cb2b085eb3d5469337ac4782f927 |
| SHA256 | ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902 |
| SHA512 | bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\select.pyd
| MD5 | c97a587e19227d03a85e90a04d7937f6 |
| SHA1 | 463703cf1cac4e2297b442654fc6169b70cfb9bf |
| SHA256 | c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf |
| SHA512 | 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_socket.pyd
| MD5 | 1eea9568d6fdef29b9963783827f5867 |
| SHA1 | a17760365094966220661ad87e57efe09cd85b84 |
| SHA256 | 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117 |
| SHA512 | d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd
| MD5 | baf4db7977e04eca7e4151da57dc35d6 |
| SHA1 | 80c70496375037ca084365e392d903dea962566c |
| SHA256 | 1a2ec2389c1111d3992c788b58282aaf1fc877b665b195847faf58264bf9bc33 |
| SHA512 | 9b04f24ee61efa685c3af3e05000206384ec531a120209288f8fdc4fb1ec186c946fd59e9eb7381e9077bfbcfc7168b86a71c12d06529e70a7f30e44658a4950 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd
| MD5 | fa50d9f8bce6bd13652f5090e7b82c4d |
| SHA1 | ee137da302a43c2f46d4323e98ffd46d92cf4bef |
| SHA256 | fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb |
| SHA512 | 341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_hashlib.pyd
| MD5 | 4255c44dc64f11f32c961bf275aab3a2 |
| SHA1 | c1631b2821a7e8a1783ecfe9a14db453be54c30a |
| SHA256 | e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29 |
| SHA512 | 7d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32api.pyd
| MD5 | 1d6762b494dc9e60ca95f7238ae1fb14 |
| SHA1 | aa0397d96a0ed41b2f03352049dafe040d59ad5d |
| SHA256 | fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664 |
| SHA512 | 0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\win32process.pyd
| MD5 | 936b26a67e6c7788c3a5268f478e01b8 |
| SHA1 | 0ee92f0a97a14fcd45865667ed02b278794b2fdf |
| SHA256 | 0459439ef3efa0e0fc2b8ca3f0245826e9bbd7e8f3266276398921a4aa899fbd |
| SHA512 | bfe37390da24cc9422cabbbbbc7733d89f61d73ecc3765fe494b5a7bd044e4ffb629f1bb4a28437fe9ad169ae65f2338c15d689f381f9e745c44f2741388860b |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_cffi_backend.pyd
| MD5 | fde9a1d6590026a13e81712cd2f23522 |
| SHA1 | ca99a48caea0dbaccf4485afd959581f014277ed |
| SHA256 | 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b |
| SHA512 | a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\Crypto\Hash\_SHA1.pyd
| MD5 | 5e6fef0ff0c688db13ed2777849e8e87 |
| SHA1 | 3e739107b1b5ff8f1ffaac2ede75b71d4ebd128f |
| SHA256 | e88a0347f9969991756815dff0af940f00e966bc7875aa4763a2c80516f7e4ed |
| SHA512 | b97d4aa0ae76f528e643180ed300f1a50eafe8b82c27212a95ce380bca85f9ce1ff1ac1190173d56776fd663f649817514d6501ce80518f526159398daa6f55c |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_elementtree.pyd
| MD5 | 53ba094149f6fc5f4f7349d4e0019857 |
| SHA1 | 17f8fb2487d2dedb2bc1595cc8dede2c9bcad4f9 |
| SHA256 | edb86a361198e68dfeec10b8bef6937540f43a4578356fd2f13546de03471026 |
| SHA512 | 10d1714e1cf41981ef7da99713ad5b7c8647a13813a9012a69c4b5bb1542c4f5c170175a2cd49d94d79b5d10f71bbba5732245c1d6df1f35ab6adb79f9a1d6f5 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\pyexpat.pyd
| MD5 | 9c21a5540fc572f75901820cf97245ec |
| SHA1 | 09296f032a50de7b398018f28ee8086da915aebd |
| SHA256 | 2ff8cd82e7cc255e219e7734498d2dea0c65a5ab29dc8581240d40eb81246045 |
| SHA512 | 4217268db87eec2f0a14b5881edb3fdb8efe7ea27d6dcbee7602ca4997416c1130420f11167dac7e781553f3611409fa37650b7c2b2d09f19dc190b17b410ba5 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_uuid.pyd
| MD5 | 46e9d7b5d9668c9db5caa48782ca71ba |
| SHA1 | 6bbc83a542053991b57f431dd377940418848131 |
| SHA256 | f6063622c0a0a34468679413d1b18d1f3be67e747696ab972361faed4b8d6735 |
| SHA512 | c5b171ebdb51b1755281c3180b30e88796db8aa96073489613dab96b6959a205846711187266a0ba30782102ce14fbfa4d9f413a2c018494597600482329ebf7 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\vcruntime140_1.dll
| MD5 | 7e668ab8a78bd0118b94978d154c85bc |
| SHA1 | dbac42a02a8d50639805174afd21d45f3c56e3a0 |
| SHA256 | e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f |
| SHA512 | 72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\pywintypes311.dll
| MD5 | 90b786dc6795d8ad0870e290349b5b52 |
| SHA1 | 592c54e67cf5d2d884339e7a8d7a21e003e6482f |
| SHA256 | 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a |
| SHA512 | c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\tcl\encoding\cp1252.enc
| MD5 | e9117326c06fee02c478027cb625c7d8 |
| SHA1 | 2ed4092d573289925a5b71625cf43cc82b901daf |
| SHA256 | 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e |
| SHA512 | d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\tk86t.dll
| MD5 | 499fa3dea045af56ee5356c0ce7d6ce2 |
| SHA1 | 0444b7d4ecd25491245824c17b84916ee5b39f74 |
| SHA256 | 20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94 |
| SHA512 | d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\tcl86t.dll
| MD5 | ac6cd2fb2cd91780db186b8d6e447b7c |
| SHA1 | b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a |
| SHA256 | a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6 |
| SHA512 | 45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_tkinter.pyd
| MD5 | 758e6e2776585a3ca2e9551edc21edeb |
| SHA1 | 8d2268f1c2e6cf0d705bcf615ea17dc9460db25c |
| SHA256 | f2a69b21c5043d567e79f0a2cec4747e1d6f9107f3a4d4e381e41e1c37726c1d |
| SHA512 | 827e68deab9357e226c946dc24bb2d36acb232bc7efa4ee8f8bb9343f659e2d89045cf57bd4d8ce4b7694a8d98a6d4a01f1894acb5d0c4daf7d8c9a912b74213 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\unicodedata.pyd
| MD5 | aa13ee6770452af73828b55af5cd1a32 |
| SHA1 | c01ece61c7623e36a834d8b3c660e7f28c91177e |
| SHA256 | 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb |
| SHA512 | b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\charset_normalizer\md__mypyc.pyd
| MD5 | 2d1f2ffd0fecf96a053043daad99a5df |
| SHA1 | b03d5f889e55e802d3802d0f0caa4d29c538406b |
| SHA256 | 207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13 |
| SHA512 | 4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_queue.pyd
| MD5 | f00133f7758627a15f2d98c034cf1657 |
| SHA1 | 2f5f54eda4634052f5be24c560154af6647eee05 |
| SHA256 | 35609869edc57d806925ec52cca9bc5a035e30d5f40549647d4da6d7983f8659 |
| SHA512 | 1c77dd811d2184beedf3c553c3f4da2144b75c6518543f98c630c59cd597fcbf6fd22cfbb0a7b9ea2fdb7983ff69d0d99e8201f4e84a0629bc5733aa09ffc201 |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\libssl-1_1.dll
| MD5 | 25bde25d332383d1228b2e66a4cb9f3e |
| SHA1 | cd5b9c3dd6aab470d445e3956708a324e93a9160 |
| SHA256 | c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13 |
| SHA512 | ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\libcrypto-1_1.dll
| MD5 | e94733523bcd9a1fb6ac47e10a267287 |
| SHA1 | 94033b405386d04c75ffe6a424b9814b75c608ac |
| SHA256 | f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44 |
| SHA512 | 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f |
C:\Users\Admin\AppData\Local\Temp\onefile_1456_133693590739208699\_ssl.pyd
| MD5 | 208b0108172e59542260934a2e7cfa85 |
| SHA1 | 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a |
| SHA256 | 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69 |
| SHA512 | 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d |
memory/1456-1091-0x00007FF6BCF50000-0x00007FF6BDFC8000-memory.dmp
memory/3316-1092-0x00007FF7DF230000-0x00007FF7E1ABB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\megapy_ai8ps5m0
| MD5 | a2bd98779d4e415ccfba9e7c53d24fbc |
| SHA1 | 6a0a2d8ce6dfde9b1d27019d70c86f11bf377a1b |
| SHA256 | bfc2ac66a659672726b146a953ee90fd128420d2ae51c10c1896f825537f32aa |
| SHA512 | b4f684e66f1c70303d57a59ce3c9a149955028b297a1b286d98e04ff350f79cb196b6d7dc492eb62fa5831e0d3d08d5211d955f3bf7731c8147339bb723760fc |
memory/3316-1123-0x00007FF7DF230000-0x00007FF7E1ABB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 794d834f4a9a70041b3cad4d0002030f |
| SHA1 | facc1ed8ade82799866c8414406d80549c190a9b |
| SHA256 | 2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b |
| SHA512 | 2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565 |
memory/1624-1147-0x000000001C1E0000-0x000000001C286000-memory.dmp
memory/1624-1150-0x000000001C840000-0x000000001CD0E000-memory.dmp
memory/1624-1152-0x000000001BDD0000-0x000000001BE6C000-memory.dmp
memory/1624-1153-0x0000000001410000-0x0000000001418000-memory.dmp
memory/1624-1154-0x0000000001640000-0x000000000164C000-memory.dmp
memory/4432-1156-0x00000197ACB50000-0x00000197ACB72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edgegayc.40z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5032-1232-0x000001A9A0F50000-0x000001A9A116C000-memory.dmp
memory/4432-1234-0x00000197C4E20000-0x00000197C503C000-memory.dmp
memory/2824-1236-0x00000140EFE50000-0x00000140F006C000-memory.dmp
memory/3088-1237-0x000001B42FC50000-0x000001B42FE6C000-memory.dmp
memory/4736-1239-0x0000021278AA0000-0x0000021278CBC000-memory.dmp
memory/2268-1243-0x0000021224030000-0x000002122424C000-memory.dmp
memory/220-1242-0x000001FF412F0000-0x000001FF4150C000-memory.dmp
memory/5020-1245-0x0000026169170000-0x000002616938C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-28 22:51
Reported
2024-08-28 22:53
Platform
win7-20240704-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2096_133693590805900000\Caffeine AIO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2096_133693590805900000\Caffeine AIO.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4.exe
"C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe
"C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2096_133693590805900000\Caffeine AIO.exe
"C:\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | proxy-cheap.blogspot.com | udp |
| GB | 142.250.200.33:443 | proxy-cheap.blogspot.com | tcp |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.41.239:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | acpanel.hackcrack.io | udp |
| US | 147.124.205.158:16164 | acpanel.hackcrack.io | tcp |
| US | 147.124.205.158:16164 | acpanel.hackcrack.io | tcp |
Files
memory/2152-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp
memory/2152-1-0x0000000000D80000-0x0000000001E60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.exe
| MD5 | be11c92a7f9006e22ad6b5db6dc54c10 |
| SHA1 | 280bfbe912072b6e7465f3cb55b660f85a95cce4 |
| SHA256 | b223c55891d3e70c0330e4653b6ae5f4ac0f6484b14b96bd5996bd2c92a4a407 |
| SHA512 | d255a77f333a24da3d1ef18610d5c46e9cf5119334da62316e6e38348dc823ed3b6ee7a3740b1285a13afe645706e0091abe3ff869fa2d6bc665de0a8ad9b4ae |
memory/968-9-0x0000000000FA0000-0x0000000001018000-memory.dmp
\Users\Admin\AppData\Local\Temp\Caffeine AIO V6.4 .exe
| MD5 | c8519412e5cdb85b6c4aa4d83cb81102 |
| SHA1 | 6501f176264e97b0a17da3210e5c4697b340df4c |
| SHA256 | f700801ecc59f7f02af57adcf51989f08dac198e041437ccdfd3c09e1da2bda7 |
| SHA512 | 91d45ff15701344ea3b52c98d356882a7780e1a2330e726259feb9e47a16578d46f88af4c8b70d0f63aa1ed4144e25b935e53ea7f453bf284432433a6964163f |
memory/968-42-0x0000000000350000-0x000000000037A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 605d3781d3ed4a3729f9e2acfad3e8af |
| SHA1 | 818e82d948c838af9e897987947d597405c8980f |
| SHA256 | eb25d9af5566e4016fdac1b2c854fc13271c55498542c0b7158b1a6c947317b1 |
| SHA512 | 36c2fa37e7825819efe75c14518b6ad8d1f64baa7aae4dc46cebc8651265e7c1a00173efa71248960a2f8dc540ba1f0dc40164d3ee0ba5d5ad0ee51caf476b19 |
memory/2004-176-0x0000000000CF0000-0x0000000000D48000-memory.dmp
memory/2004-177-0x00000000001D0000-0x00000000001D8000-memory.dmp
memory/968-210-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/968-224-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/968-231-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
\Users\Admin\AppData\Local\Temp\onefile_2096_133693590805900000\Caffeine AIO.exe
| MD5 | 64cee0725f4190838259cbeeec00db38 |
| SHA1 | 2280e6b01e1285b1ea18e86b0c40e0ef706c20eb |
| SHA256 | 5445cef5ba425b3a96bb4ae83b24d11337b59eb0f83b70ed00aba60a2f171a62 |
| SHA512 | d0caa84efc5e133af3f9454e274315f68420799efc7d76d29932103410171edcd620e983620cdb4e35d2117d880fe41856ea2b366eaaa4284e7fda08b56a4591 |
\Users\Admin\AppData\Local\Temp\onefile_2096_133693590805900000\python311.dll
| MD5 | 5a5dd7cad8028097842b0afef45bfbcf |
| SHA1 | e247a2e460687c607253949c52ae2801ff35dc4a |
| SHA256 | a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce |
| SHA512 | e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858 |
memory/3040-1028-0x000000013FF90000-0x000000014281B000-memory.dmp
memory/2096-1029-0x000000013FA10000-0x0000000140A88000-memory.dmp
memory/2096-2020-0x000000013FA10000-0x0000000140A88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 794d834f4a9a70041b3cad4d0002030f |
| SHA1 | facc1ed8ade82799866c8414406d80549c190a9b |
| SHA256 | 2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b |
| SHA512 | 2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565 |
memory/2100-2031-0x0000000000B70000-0x0000000000B7C000-memory.dmp