redline | dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe
Size

1.0MB
MD5

3bc3b95074a485e5b1b8d7deadfc298d
SHA1

02d930c2f11e1b417906ffc39e8c2c540b976265
SHA256

dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06
SHA512

ebdf8024003b90bb4974a9f8d0dafa2ea059aab80cb7dbe64b2a923cd369e1afb5f9af3e2daf47a4cf1000b8fd822bedf3c4d7bdccd9dc3efd73092b8f61520e
SSDEEP

24576:Wy6yFBPF0a3fV9trAik7ARCDBl1sRH/bD3nmqDCg7UY:lLFPT3fV91Xk7ARan18zmG

Score

10^/10

redline laswa mirko redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

laswa

83.97.73.127:19062

Attributes

auth_value
f93b7c6dad009734b220c3bf54087e12

Extracted

Family

redline

Botnet

mirko

83.97.73.127:19062

Attributes

auth_value
35111a095377107ec8b7d3e035831af8

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s4486077.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s4486077.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 15 IoCs

Processes:

z5256843.exez9951143.exeo0505022.exep1928451.exer8410801.exes4486077.exes4486077.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exelegends.exe

pid	process
4760	z5256843.exe
4112	z9951143.exe
4828	o0505022.exe
3624	p1928451.exe
4180	r8410801.exe
3944	s4486077.exe
220	s4486077.exe
3812	legends.exe
3192	legends.exe
3320	redline.exe
5084	legends.exe
2988	legends.exe
3172	legends.exe
2660	legends.exe
4732	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3972 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3972	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exez5256843.exez9951143.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5256843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5256843.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9951143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9951143.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o0505022.exer8410801.exes4486077.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 4828 set thread context of 3084	4828	o0505022.exe	AppLaunch.exe
PID 4180 set thread context of 3700	4180	r8410801.exe	AppLaunch.exe
PID 3944 set thread context of 220	3944	s4486077.exe	s4486077.exe
PID 3812 set thread context of 3192	3812	legends.exe	legends.exe
PID 5084 set thread context of 2988	5084	legends.exe	legends.exe
PID 3172 set thread context of 4732	3172	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4312 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exep1928451.exeAppLaunch.exeredline.exe

pid process

3084 AppLaunch.exe
3084 AppLaunch.exe
3624 p1928451.exe
3624 p1928451.exe
3700 AppLaunch.exe
3700 AppLaunch.exe
3320 redline.exe
3320 redline.exe

pid	process
4312	schtasks.exe

pid	process
3084	AppLaunch.exe
3084	AppLaunch.exe
3624	p1928451.exe
3624	p1928451.exe
3700	AppLaunch.exe
3700	AppLaunch.exe
3320	redline.exe
3320	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exep1928451.exes4486077.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	3084	AppLaunch.exe
Token: SeDebugPrivilege	3624	p1928451.exe
Token: SeDebugPrivilege	3944	s4486077.exe
Token: SeDebugPrivilege	3812	legends.exe
Token: SeDebugPrivilege	3700	AppLaunch.exe
Token: SeDebugPrivilege	3320	redline.exe
Token: SeDebugPrivilege	5084	legends.exe
Token: SeDebugPrivilege	3172	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s4486077.exe

pid process

220 s4486077.exe

pid	process
220	s4486077.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exez5256843.exez9951143.exeo0505022.exer8410801.exes4486077.exes4486077.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 980 wrote to memory of 4760	980	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe	z5256843.exe
PID 980 wrote to memory of 4760	980	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe	z5256843.exe
PID 980 wrote to memory of 4760	980	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe	z5256843.exe
PID 4760 wrote to memory of 4112	4760	z5256843.exe	z9951143.exe
PID 4760 wrote to memory of 4112	4760	z5256843.exe	z9951143.exe
PID 4760 wrote to memory of 4112	4760	z5256843.exe	z9951143.exe
PID 4112 wrote to memory of 4828	4112	z9951143.exe	o0505022.exe
PID 4112 wrote to memory of 4828	4112	z9951143.exe	o0505022.exe
PID 4112 wrote to memory of 4828	4112	z9951143.exe	o0505022.exe
PID 4828 wrote to memory of 3084	4828	o0505022.exe	AppLaunch.exe
PID 4828 wrote to memory of 3084	4828	o0505022.exe	AppLaunch.exe
PID 4828 wrote to memory of 3084	4828	o0505022.exe	AppLaunch.exe
PID 4828 wrote to memory of 3084	4828	o0505022.exe	AppLaunch.exe
PID 4828 wrote to memory of 3084	4828	o0505022.exe	AppLaunch.exe
PID 4112 wrote to memory of 3624	4112	z9951143.exe	p1928451.exe
PID 4112 wrote to memory of 3624	4112	z9951143.exe	p1928451.exe
PID 4112 wrote to memory of 3624	4112	z9951143.exe	p1928451.exe
PID 4760 wrote to memory of 4180	4760	z5256843.exe	r8410801.exe
PID 4760 wrote to memory of 4180	4760	z5256843.exe	r8410801.exe
PID 4760 wrote to memory of 4180	4760	z5256843.exe	r8410801.exe
PID 4180 wrote to memory of 3700	4180	r8410801.exe	AppLaunch.exe
PID 4180 wrote to memory of 3700	4180	r8410801.exe	AppLaunch.exe
PID 4180 wrote to memory of 3700	4180	r8410801.exe	AppLaunch.exe
PID 4180 wrote to memory of 3700	4180	r8410801.exe	AppLaunch.exe
PID 4180 wrote to memory of 3700	4180	r8410801.exe	AppLaunch.exe
PID 980 wrote to memory of 3944	980	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe	s4486077.exe
PID 980 wrote to memory of 3944	980	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe	s4486077.exe
PID 980 wrote to memory of 3944	980	dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 3944 wrote to memory of 220	3944	s4486077.exe	s4486077.exe
PID 220 wrote to memory of 3812	220	s4486077.exe	legends.exe
PID 220 wrote to memory of 3812	220	s4486077.exe	legends.exe
PID 220 wrote to memory of 3812	220	s4486077.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3812 wrote to memory of 3192	3812	legends.exe	legends.exe
PID 3192 wrote to memory of 4312	3192	legends.exe	schtasks.exe
PID 3192 wrote to memory of 4312	3192	legends.exe	schtasks.exe
PID 3192 wrote to memory of 4312	3192	legends.exe	schtasks.exe
PID 3192 wrote to memory of 792	3192	legends.exe	cmd.exe
PID 3192 wrote to memory of 792	3192	legends.exe	cmd.exe
PID 3192 wrote to memory of 792	3192	legends.exe	cmd.exe
PID 792 wrote to memory of 3780	792	cmd.exe	cmd.exe
PID 792 wrote to memory of 3780	792	cmd.exe	cmd.exe
PID 792 wrote to memory of 3780	792	cmd.exe	cmd.exe
PID 792 wrote to memory of 3232	792	cmd.exe	cacls.exe
PID 792 wrote to memory of 3232	792	cmd.exe	cacls.exe
PID 792 wrote to memory of 3232	792	cmd.exe	cacls.exe
PID 792 wrote to memory of 4488	792	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe
"C:\Users\Admin\AppData\Local\Temp\dc28b0514454850dd35ea03aa68ad664fe9ed059e6713eefccd82fc52fc2fb06.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5256843.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5256843.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9951143.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9951143.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0505022.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0505022.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1928451.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1928451.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8410801.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8410801.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:4312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3780

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1088

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:1200

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:3972

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s4486077.exe
Filesize
963KB

MD5
4d67c9b32798d8aa1d4b762fa171c7cb

SHA1
ed1950a0fe82627f819a6814d5ac6a2e1981aa2e

SHA256
233a84df9ea32f19bdf0b9c24df2e1b57d25bbb74f7a971cf555b3ef3402be0b

SHA512
9dd6679d552295e122c476dececa0f8042cd00af43a4576c55ed9303cd0c96e36529c28961faf048837c78390160b5564600dcc9bf743492878d0c5da316f858

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5256843.exe
Filesize
610KB

MD5
81b312dae42c95b6c6520a0093cf2fcb

SHA1
fb15191496844e9c3de08145ac65a2ef254854a1

SHA256
56dab6f68ac090c536f561587ccfa7837c07b71dee381ea3dbdcc2533ec89d1a

SHA512
33775abfb141e4d0f650b85cf42e9a6e2e290395c8e345168abdec290c817fda664e4d1dcbf5d4267ffcb9ac574ce76490e5993b461fad03bc41d85063e90106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5256843.exe
Filesize
610KB

MD5
81b312dae42c95b6c6520a0093cf2fcb

SHA1
fb15191496844e9c3de08145ac65a2ef254854a1

SHA256
56dab6f68ac090c536f561587ccfa7837c07b71dee381ea3dbdcc2533ec89d1a

SHA512
33775abfb141e4d0f650b85cf42e9a6e2e290395c8e345168abdec290c817fda664e4d1dcbf5d4267ffcb9ac574ce76490e5993b461fad03bc41d85063e90106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8410801.exe
Filesize
326KB

MD5
a348e05f1469fd628e941c7f93caa276

SHA1
7672738d92e71419dcabbb8344c4c37eaf542c77

SHA256
8e1e563260b70d8640b84c2b19583a2992978b1eb521ecb05d6e712339702a51

SHA512
6fa54c07fa181f6b0537c7bcbc72e900397858c9b94021575283fdad4a54f3d34bcb66b2f0e18c3511b3f1db636710e03f0d6932783070f35e2e786b4ca50aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8410801.exe
Filesize
326KB

MD5
a348e05f1469fd628e941c7f93caa276

SHA1
7672738d92e71419dcabbb8344c4c37eaf542c77

SHA256
8e1e563260b70d8640b84c2b19583a2992978b1eb521ecb05d6e712339702a51

SHA512
6fa54c07fa181f6b0537c7bcbc72e900397858c9b94021575283fdad4a54f3d34bcb66b2f0e18c3511b3f1db636710e03f0d6932783070f35e2e786b4ca50aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9951143.exe
Filesize
291KB

MD5
f8ce38eefded5c664482f0d8a56e8243

SHA1
8ac440bc87271a14b5c81dfc797624590a17dea4

SHA256
70c4a6bb1e512b4bfdbc6b99dd9036d2275d47afef1cb29f2179d61ae99ee855

SHA512
505146dd8c222150a8a035cda442b982be7054fad0eaf291ddd411bfc97d1dbe2ce279ad6cb5e0d3c9320e58fba7ba83fbc9c63c0559b5365e12a4511a4bf4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9951143.exe
Filesize
291KB

MD5
f8ce38eefded5c664482f0d8a56e8243

SHA1
8ac440bc87271a14b5c81dfc797624590a17dea4

SHA256
70c4a6bb1e512b4bfdbc6b99dd9036d2275d47afef1cb29f2179d61ae99ee855

SHA512
505146dd8c222150a8a035cda442b982be7054fad0eaf291ddd411bfc97d1dbe2ce279ad6cb5e0d3c9320e58fba7ba83fbc9c63c0559b5365e12a4511a4bf4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0505022.exe
Filesize
192KB

MD5
579dd87a597def050a1d9b51f314b144

SHA1
b1524e2fc67dc35d292b59ca8d7e18402364ab51

SHA256
3d0670316f3fb1478e399bfc0c7786ab72dfdb187b4de53712e8ca3dddeb0da0

SHA512
002fcc7dd9a0145a873d05391b9a8964ee10b1600f53b1386597e6bfd4db053cf6181e21ac48311e8cdfa7afee81f3d4db8389b06f4601223a2a10423c97773d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0505022.exe
Filesize
192KB

MD5
579dd87a597def050a1d9b51f314b144

SHA1
b1524e2fc67dc35d292b59ca8d7e18402364ab51

SHA256
3d0670316f3fb1478e399bfc0c7786ab72dfdb187b4de53712e8ca3dddeb0da0

SHA512
002fcc7dd9a0145a873d05391b9a8964ee10b1600f53b1386597e6bfd4db053cf6181e21ac48311e8cdfa7afee81f3d4db8389b06f4601223a2a10423c97773d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1928451.exe
Filesize
168KB

MD5
82c47c54339067d5126f583c827a602b

SHA1
6b613473708363bf09555fa57eafb47a2ae65d6b

SHA256
8181bafa5c79bb8c23b780fed9b82fe32ff1e86ae085a52f1570a85c42391e13

SHA512
b86c822a0af75c52c57c31c354e2b5c3b6d7f50cb06f2f80c2f4f81a2df9172db2191d164cfad50f0876c4bbca80ba78b8c04481b4b2ead7a263a492c7e978f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p1928451.exe
Filesize
168KB

MD5
82c47c54339067d5126f583c827a602b

SHA1
6b613473708363bf09555fa57eafb47a2ae65d6b

SHA256
8181bafa5c79bb8c23b780fed9b82fe32ff1e86ae085a52f1570a85c42391e13

SHA512
b86c822a0af75c52c57c31c354e2b5c3b6d7f50cb06f2f80c2f4f81a2df9172db2191d164cfad50f0876c4bbca80ba78b8c04481b4b2ead7a263a492c7e978f4

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/220-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/220-211-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/220-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/220-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/220-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2988-258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2988-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2988-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3084-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3192-245-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3192-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-248-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3320-249-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3320-247-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/3624-172-0x000000000AF30000-0x000000000AF96000-memory.dmp

Filesize
408KB

Download
memory/3624-166-0x000000000A2C0000-0x000000000A2D2000-memory.dmp

Filesize
72KB

Download
memory/3624-171-0x000000000B3E0000-0x000000000B984000-memory.dmp

Filesize
5.6MB

Download
memory/3624-163-0x0000000000550000-0x000000000057E000-memory.dmp

Filesize
184KB

Download
memory/3624-164-0x000000000A810000-0x000000000AE28000-memory.dmp

Filesize
6.1MB

Download
memory/3624-177-0x000000000C360000-0x000000000C88C000-memory.dmp

Filesize
5.2MB

Download
memory/3624-175-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3624-165-0x000000000A390000-0x000000000A49A000-memory.dmp

Filesize
1.0MB

Download
memory/3624-176-0x000000000BC60000-0x000000000BE22000-memory.dmp

Filesize
1.8MB

Download
memory/3624-170-0x000000000A750000-0x000000000A7E2000-memory.dmp

Filesize
584KB

Download
memory/3624-167-0x000000000A320000-0x000000000A35C000-memory.dmp

Filesize
240KB

Download
memory/3624-168-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3624-174-0x000000000B390000-0x000000000B3E0000-memory.dmp

Filesize
320KB

Download
memory/3624-169-0x000000000A630000-0x000000000A6A6000-memory.dmp

Filesize
472KB

Download
memory/3700-193-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3700-183-0x0000000000710000-0x000000000073A000-memory.dmp

Filesize
168KB

Download
memory/3812-216-0x0000000007CB0000-0x0000000007CC0000-memory.dmp

Filesize
64KB

Download
memory/3944-192-0x0000000000BE0000-0x0000000000CD8000-memory.dmp

Filesize
992KB

Download
memory/3944-194-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/4732-285-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-283-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-284-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5084-253-0x0000000006ED0000-0x0000000006EE0000-memory.dmp

Filesize
64KB

Download