redline | b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2023 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe
Size

1.0MB
MD5

aed1eaa915cf8cbc5fc53e16a2d396a7
SHA1

11ac5f2819a0d173718aa67c3640ea55173abc2c
SHA256

b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b
SHA512

3352ddeb18cb6a646beb54a5dc8afef72164f24538b8df3ec2c0d98efc7392d5b63d75a3f3d9df9cfd324870574d6e6d63de5b682857a2df7934e899fe26cd7e
SSDEEP

24576:7ytiTYOGlGiiVKZKMFVSEgD4RslRgB2qfi15zWqQKYBL:u0ToIbVVMjiE2ZzW2YB

Score

10^/10

redline laswa mirko redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

laswa

83.97.73.127:19062

Attributes

auth_value
f93b7c6dad009734b220c3bf54087e12

Extracted

Family

redline

Botnet

mirko

83.97.73.127:19062

Attributes

auth_value
35111a095377107ec8b7d3e035831af8

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s3980798.exelegends.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s3980798.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	legends.exe

Executes dropped EXE 14 IoCs

Processes:

z6188508.exez0310925.exeo0431910.exep0552693.exer3238245.exes3980798.exes3980798.exelegends.exelegends.exeredline.exelegends.exelegends.exelegends.exelegends.exe

pid	process
3448	z6188508.exe
4264	z0310925.exe
1804	o0431910.exe
4028	p0552693.exe
1792	r3238245.exe
1688	s3980798.exe
4148	s3980798.exe
4748	legends.exe
2772	legends.exe
792	redline.exe
1648	legends.exe
3012	legends.exe
4676	legends.exe
980	legends.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3800 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3800	rundll32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z6188508.exez0310925.exeb51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6188508.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0310925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0310925.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6188508.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

Processes:

o0431910.exer3238245.exes3980798.exelegends.exelegends.exelegends.exe

description	pid	process	target process
PID 1804 set thread context of 2960	1804	o0431910.exe	AppLaunch.exe
PID 1792 set thread context of 1912	1792	r3238245.exe	AppLaunch.exe
PID 1688 set thread context of 4148	1688	s3980798.exe	s3980798.exe
PID 4748 set thread context of 2772	4748	legends.exe	legends.exe
PID 1648 set thread context of 3012	1648	legends.exe	legends.exe
PID 4676 set thread context of 980	4676	legends.exe	legends.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2160 3012 WerFault.exe legends.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1296 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exep0552693.exeAppLaunch.exeredline.exe

pid process

2960 AppLaunch.exe
2960 AppLaunch.exe
4028 p0552693.exe
4028 p0552693.exe
1912 AppLaunch.exe
1912 AppLaunch.exe
792 redline.exe
792 redline.exe

pid	pid_target	process	target process
2160	3012	WerFault.exe	legends.exe

pid	process
1296	schtasks.exe

pid	process
2960	AppLaunch.exe
2960	AppLaunch.exe
4028	p0552693.exe
4028	p0552693.exe
1912	AppLaunch.exe
1912	AppLaunch.exe
792	redline.exe
792	redline.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exep0552693.exes3980798.exelegends.exeAppLaunch.exeredline.exelegends.exelegends.exe

description	pid	process
Token: SeDebugPrivilege	2960	AppLaunch.exe
Token: SeDebugPrivilege	4028	p0552693.exe
Token: SeDebugPrivilege	1688	s3980798.exe
Token: SeDebugPrivilege	4748	legends.exe
Token: SeDebugPrivilege	1912	AppLaunch.exe
Token: SeDebugPrivilege	792	redline.exe
Token: SeDebugPrivilege	1648	legends.exe
Token: SeDebugPrivilege	4676	legends.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s3980798.exe

pid process

4148 s3980798.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

legends.exe

pid process

3012 legends.exe

pid	process
4148	s3980798.exe

pid	process
3012	legends.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exez6188508.exez0310925.exeo0431910.exer3238245.exes3980798.exes3980798.exelegends.exelegends.execmd.exe

description	pid	process	target process
PID 2092 wrote to memory of 3448	2092	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe	z6188508.exe
PID 2092 wrote to memory of 3448	2092	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe	z6188508.exe
PID 2092 wrote to memory of 3448	2092	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe	z6188508.exe
PID 3448 wrote to memory of 4264	3448	z6188508.exe	z0310925.exe
PID 3448 wrote to memory of 4264	3448	z6188508.exe	z0310925.exe
PID 3448 wrote to memory of 4264	3448	z6188508.exe	z0310925.exe
PID 4264 wrote to memory of 1804	4264	z0310925.exe	o0431910.exe
PID 4264 wrote to memory of 1804	4264	z0310925.exe	o0431910.exe
PID 4264 wrote to memory of 1804	4264	z0310925.exe	o0431910.exe
PID 1804 wrote to memory of 2960	1804	o0431910.exe	AppLaunch.exe
PID 1804 wrote to memory of 2960	1804	o0431910.exe	AppLaunch.exe
PID 1804 wrote to memory of 2960	1804	o0431910.exe	AppLaunch.exe
PID 1804 wrote to memory of 2960	1804	o0431910.exe	AppLaunch.exe
PID 1804 wrote to memory of 2960	1804	o0431910.exe	AppLaunch.exe
PID 4264 wrote to memory of 4028	4264	z0310925.exe	p0552693.exe
PID 4264 wrote to memory of 4028	4264	z0310925.exe	p0552693.exe
PID 4264 wrote to memory of 4028	4264	z0310925.exe	p0552693.exe
PID 3448 wrote to memory of 1792	3448	z6188508.exe	r3238245.exe
PID 3448 wrote to memory of 1792	3448	z6188508.exe	r3238245.exe
PID 3448 wrote to memory of 1792	3448	z6188508.exe	r3238245.exe
PID 1792 wrote to memory of 1912	1792	r3238245.exe	AppLaunch.exe
PID 1792 wrote to memory of 1912	1792	r3238245.exe	AppLaunch.exe
PID 1792 wrote to memory of 1912	1792	r3238245.exe	AppLaunch.exe
PID 1792 wrote to memory of 1912	1792	r3238245.exe	AppLaunch.exe
PID 1792 wrote to memory of 1912	1792	r3238245.exe	AppLaunch.exe
PID 2092 wrote to memory of 1688	2092	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe	s3980798.exe
PID 2092 wrote to memory of 1688	2092	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe	s3980798.exe
PID 2092 wrote to memory of 1688	2092	b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 1688 wrote to memory of 4148	1688	s3980798.exe	s3980798.exe
PID 4148 wrote to memory of 4748	4148	s3980798.exe	legends.exe
PID 4148 wrote to memory of 4748	4148	s3980798.exe	legends.exe
PID 4148 wrote to memory of 4748	4148	s3980798.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 4748 wrote to memory of 2772	4748	legends.exe	legends.exe
PID 2772 wrote to memory of 1296	2772	legends.exe	schtasks.exe
PID 2772 wrote to memory of 1296	2772	legends.exe	schtasks.exe
PID 2772 wrote to memory of 1296	2772	legends.exe	schtasks.exe
PID 2772 wrote to memory of 4172	2772	legends.exe	cmd.exe
PID 2772 wrote to memory of 4172	2772	legends.exe	cmd.exe
PID 2772 wrote to memory of 4172	2772	legends.exe	cmd.exe
PID 4172 wrote to memory of 2076	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 2076	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 2076	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 4708	4172	cmd.exe	cacls.exe
PID 4172 wrote to memory of 4708	4172	cmd.exe	cacls.exe
PID 4172 wrote to memory of 4708	4172	cmd.exe	cacls.exe
PID 4172 wrote to memory of 1228	4172	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe
"C:\Users\Admin\AppData\Local\Temp\b51f66da49328af47f39e325ab20eb9ea476877e73c386b76fdcb5c239e51d5b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6188508.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6188508.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0310925.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0310925.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0431910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0431910.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0552693.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0552693.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3238245.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3238245.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
"C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legends.exe /TR "C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe" /F
6⤵
- Creates scheduled task(s)
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legends.exe" /P "Admin:N"&&CACLS "legends.exe" /P "Admin:R" /E&&echo Y|CACLS "..\41bde21dc7" /P "Admin:N"&&CACLS "..\41bde21dc7" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2076

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:N"
7⤵
PID:4708

C:\Windows\SysWOW64\cacls.exe
CACLS "legends.exe" /P "Admin:R" /E
7⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3484

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:N"
7⤵
PID:4240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\41bde21dc7" /P "Admin:R" /E
7⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:3800

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 12
3⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3012 -ip 3012
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
2⤵
- Executes dropped EXE
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\legends.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\41bde21dc7\legends.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3980798.exe
Filesize
963KB

MD5
e391868f1b233778519ca58fe637ec32

SHA1
e65dbf79af11e787a03e2b58a3a5804f9d59f3c3

SHA256
02da3ce6c586c9a38a8967326eea0963101dfe856222cff40c9a965a3638d8de

SHA512
265b1aed6bad29ff96c527e69a5c634f1317a303059ad89c6a38059fcc9a76462a70f9fbcdcea884f8b4645ffcaab165ed1e88a27906e0a83d83df1ec2fa81c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6188508.exe
Filesize
609KB

MD5
6c7f2ef551be12dc9cf480a68d23648b

SHA1
be64efbd65c6c76d798ce461adcb320e513df0e9

SHA256
09155ca124c13b2b87c77f7fd8aae0c1b1dd5c33c2b53845026b72999ffcba79

SHA512
946a71066ce971e2bbd2623c4973529f45e43f3d6599a6f281058b486d0055d0a6e8b5fbc51147e34e22486e4f04f61b197a1e1bc073fc56d2c62d58c6c33e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6188508.exe
Filesize
609KB

MD5
6c7f2ef551be12dc9cf480a68d23648b

SHA1
be64efbd65c6c76d798ce461adcb320e513df0e9

SHA256
09155ca124c13b2b87c77f7fd8aae0c1b1dd5c33c2b53845026b72999ffcba79

SHA512
946a71066ce971e2bbd2623c4973529f45e43f3d6599a6f281058b486d0055d0a6e8b5fbc51147e34e22486e4f04f61b197a1e1bc073fc56d2c62d58c6c33e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3238245.exe
Filesize
326KB

MD5
4488111b578e3656ab7c6eeb17fdcf6f

SHA1
1cae9e2091546d4f02f0ef5cfaf7b5fd55d2e8bf

SHA256
3a6f0caa316e82ac99fc3eee668249622562279efcf7e413813a961336df1e11

SHA512
199fb7a675fa7290f508f42235b4be275c1f50fb60a0310bdad459e2018526189f1e56b50f9b1c297962ae3ee3b1d21324296292d90bbfcafc0b05917572e75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3238245.exe
Filesize
326KB

MD5
4488111b578e3656ab7c6eeb17fdcf6f

SHA1
1cae9e2091546d4f02f0ef5cfaf7b5fd55d2e8bf

SHA256
3a6f0caa316e82ac99fc3eee668249622562279efcf7e413813a961336df1e11

SHA512
199fb7a675fa7290f508f42235b4be275c1f50fb60a0310bdad459e2018526189f1e56b50f9b1c297962ae3ee3b1d21324296292d90bbfcafc0b05917572e75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0310925.exe
Filesize
290KB

MD5
630fbeeeaae16cf224bd7c4e530f5e8c

SHA1
8a5dd1b37e9ba2766412110343e560e22f0945ad

SHA256
ae3b1665d56fd311cb5ab24c5f44925c02dedbfd77be2306ba32609f5f7c36df

SHA512
c5bdb0857827bc321cbe8386872d7580bba98134fc7c14eb689d95e7f0b13d376b9322beec30c8361df9df4f0c6a7ebeac4b01b5e714193621bee8c8453734d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0310925.exe
Filesize
290KB

MD5
630fbeeeaae16cf224bd7c4e530f5e8c

SHA1
8a5dd1b37e9ba2766412110343e560e22f0945ad

SHA256
ae3b1665d56fd311cb5ab24c5f44925c02dedbfd77be2306ba32609f5f7c36df

SHA512
c5bdb0857827bc321cbe8386872d7580bba98134fc7c14eb689d95e7f0b13d376b9322beec30c8361df9df4f0c6a7ebeac4b01b5e714193621bee8c8453734d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0431910.exe
Filesize
193KB

MD5
63a4c4c10db88db4cc5d66cd6a6e59ee

SHA1
9f6a75e69bbf3b9b4d0ddac554890d62b0ffa67f

SHA256
23b6a51b47cda3f0663e518bd73d73bace4e1bf8eb2a01a022b83fd0eceadc00

SHA512
c2d6adb793a2bd5b4a1fe9f19e3f293326caf48347a4dd24c8fbe351cc69c143562ec3cc2db12dcd53de85387233c1773570bac0ce2e37c89cfa6863ecbc3ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o0431910.exe
Filesize
193KB

MD5
63a4c4c10db88db4cc5d66cd6a6e59ee

SHA1
9f6a75e69bbf3b9b4d0ddac554890d62b0ffa67f

SHA256
23b6a51b47cda3f0663e518bd73d73bace4e1bf8eb2a01a022b83fd0eceadc00

SHA512
c2d6adb793a2bd5b4a1fe9f19e3f293326caf48347a4dd24c8fbe351cc69c143562ec3cc2db12dcd53de85387233c1773570bac0ce2e37c89cfa6863ecbc3ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0552693.exe
Filesize
168KB

MD5
e66f5413823f9b7495071fb2c78b5fe0

SHA1
2b5e209eada22e62ca6e9fa929496aeb93fcebf1

SHA256
4bbe8bbc9b6997faecb197217e5079a5e4191fa77b824300b13087cf7eb34b3d

SHA512
a16f298e423c8364ab7376f6125c181946e8d2b2605e69b2a2db43e5f820ba334d93ca2c654d21825de980abac44328f0984a3bdea563fb99f4bf51768a1eba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p0552693.exe
Filesize
168KB

MD5
e66f5413823f9b7495071fb2c78b5fe0

SHA1
2b5e209eada22e62ca6e9fa929496aeb93fcebf1

SHA256
4bbe8bbc9b6997faecb197217e5079a5e4191fa77b824300b13087cf7eb34b3d

SHA512
a16f298e423c8364ab7376f6125c181946e8d2b2605e69b2a2db43e5f820ba334d93ca2c654d21825de980abac44328f0984a3bdea563fb99f4bf51768a1eba6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73c0c85e39b9a63b42f6c4ff6d634f8b

SHA1
efb047b4177ad78268f6fc8bf959f58f1123eb51

SHA256
477252e3531300fe2a21a679fba3664803179e91a1a4d5dd44080dbd41126368

SHA512
ca32507717c2c099d54a5473fb062083237f7fda9c076e9a957b70072f41a78eedf9244b50862b81d00374297e3795021ad6db943c8408da50b1da8b5ed4a643

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/792-247-0x00000000005B0000-0x00000000005DA000-memory.dmp

Filesize
168KB

Download
memory/792-249-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/792-248-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/980-283-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/980-282-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/980-281-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-253-0x0000000007120000-0x0000000007130000-memory.dmp

Filesize
64KB

Download
memory/1688-192-0x0000000000140000-0x0000000000238000-memory.dmp

Filesize
992KB

Download
memory/1688-194-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/1912-193-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1912-183-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/2772-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-244-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2960-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3012-256-0x0000000000370000-0x0000000000370000-memory.dmp

Download
memory/4028-171-0x000000000BCC0000-0x000000000C264000-memory.dmp

Filesize
5.6MB

Download
memory/4028-177-0x000000000CB40000-0x000000000D06C000-memory.dmp

Filesize
5.2MB

Download
memory/4028-163-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/4028-164-0x000000000B0F0000-0x000000000B708000-memory.dmp

Filesize
6.1MB

Download
memory/4028-165-0x000000000ABE0000-0x000000000ACEA000-memory.dmp

Filesize
1.0MB

Download
memory/4028-166-0x000000000AAF0000-0x000000000AB02000-memory.dmp

Filesize
72KB

Download
memory/4028-167-0x000000000AB50000-0x000000000AB8C000-memory.dmp

Filesize
240KB

Download
memory/4028-168-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4028-176-0x000000000C440000-0x000000000C602000-memory.dmp

Filesize
1.8MB

Download
memory/4028-175-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4028-173-0x000000000B870000-0x000000000B8C0000-memory.dmp

Filesize
320KB

Download
memory/4028-172-0x000000000B010000-0x000000000B076000-memory.dmp

Filesize
408KB

Download
memory/4028-170-0x000000000AF70000-0x000000000B002000-memory.dmp

Filesize
584KB

Download
memory/4028-169-0x000000000AE50000-0x000000000AEC6000-memory.dmp

Filesize
472KB

Download
memory/4148-195-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4148-198-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4148-199-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4148-201-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4148-215-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4676-278-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/4748-216-0x0000000007180000-0x0000000007190000-memory.dmp

Filesize
64KB

Download