IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Hpdyv8oO3j.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\RedLine.MainPanel-cracked.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Keylogger.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Temp\Keylogger.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\ViRuS.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Temp\hhzclipper.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61bc7bd88d10e97264127fe545415b17.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\RedLine.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Windows Update.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\WindowsUpdate.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\SysWOW64\user32dll.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_windows update.e_88669d6d392fdabab3f150c24b7e9ac915a06366_00000000_10d37750\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6493.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6688.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\HOST.bat
DOS batch file, ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\SysInfo.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\bhvB786.tmp
Extensible storage engine DataBase, version 0x620, checksum 0x91cb4e71, page size 32768, DirtyShutdown, Windows version 10.0
dropped
clean
C:\Users\user\AppData\Local\Temp\holderwb.txt
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\~DF48A538CB1AE66BD4.TMP
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Local\Temp\~DFCABBFD68A244241F.TMP
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=0, Archive, ctime=Thu Nov 18 17:13:53 2021, mtime=Thu Nov 18 17:13:53 2021, atime=Thu Nov 18 17:13:52 2021, length=46132, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\pid.txt
ASCII text, with no line terminators
dropped
clean
C:\Users\user\AppData\Roaming\pidloc.txt
ASCII text, with no line terminators
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
clean
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
clean
There are 17 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Hpdyv8oO3j.exe
"C:\Users\user\Desktop\Hpdyv8oO3j.exe"
malicious
C:\Users\user\AppData\Local\Temp\Keylogger.exe
"C:\Users\user\AppData\Local\Temp\Keylogger.exe"
malicious
C:\Users\user\AppData\Local\Temp\hhzclipper.exe
"C:\Users\user\AppData\Local\Temp\hhzclipper.exe"
malicious
C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe
"C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"
malicious
C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe
"C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe"
malicious
C:\Users\user\AppData\Local\Temp\ViRuS.exe
"C:\Users\user\AppData\Local\Temp\ViRuS.exe"
malicious
C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe
malicious
C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
malicious
C:\Users\user\AppData\Roaming\RedLine.exe
"C:\Users\user\AppData\Roaming\RedLine.exe"
malicious
C:\Users\user\AppData\Roaming\Windows Update.exe
"C:\Users\user\AppData\Roaming\Windows Update.exe"
malicious
C:\Windows\SysWOW64\user32dll.exe
"C:\Windows\SysWOW64\user32dll.exe"
malicious